Jump to content

a few user reported their gatehub wallet been hacked and XRP sent to r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k


Recommended Posts

  • Replies 1.2k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

On June 1 we were made aware of a theft of 201,000 XRP (transaction F6E9E1385E11649A6C2F88723A821AF209B54030886539DCEF9DDD00E6446948) and immediately started investigation. It turned out that the acco

Reminder: There is no direct evidence pointing to Gatehub being responsible even though it may appear as the most likely scenario right now. Just be careful about jumping to conclusions What you c

Hey all! We are aware of the matter and are looking into it. If anyone has any information please contact us at: security@gatehub.net   GateHub

Posted Images

1 minute ago, tulo said:

But some people were hacked with strong passwords. It's unlikely they bruteforced those.

Unless the same password was used in other sites that had been hacked successfully?  Just adding a thought.

Link to post
Share on other sites

I thought I read on multiple occasions that wallets were emptied without access to the GateHub account. There were no entries in the log of acces, no 2fa or IP alerts. So didn't the hackers just acces hashed secret keys in combination with wallets? And thats why GH rehashed and re-keyed all the wallets last year.

Link to post
Share on other sites
10 hours ago, tulo said:

But some people were hacked with strong passwords. It's unlikely they bruteforced those.

 

10 hours ago, Tinyaccount said:

Unless the same password was used in other sites that had been hacked successfully?  Just adding a thought.

I don't know how people on the cracking sites work, but I expect it's not just brute forcing. I recall that for the most part it was high-value wallets that were reported as being hit, so it makes sense that specific hashes were chosen and then people would work specifically to break them, rather than just running everything through a script.

I assume that the crackers have access to other stolen databases, and even if people use unique passwords, a lot of the time they use different but similar passwords between sites, so perhaps a "human-assisted" brute force of limited scope is effective in some circumstances? Or social engineering tactics could have been used to help?

I can't remember reading about when the database was actually stolen, does anyone know? They could have been working on the passwords for over a year potentially. 

All just speculation. I would also be interested if anyone had insight into how these cracking communities work. 

 

6 minutes ago, Caracappa said:

I thought I read on multiple occasions that wallets were emptied without access to the GateHub account. There were no entries in the log of acces, no 2fa or IP alerts. So didn't the hackers just acces hashed secret keys in combination with wallets? And thats why GH rehashed and re-keyed all the wallets last year.

I don't think hashed secret keys existed. What was exploited was that the Gatehub API would send encrypted secret keys to an authenticated user. These could be decrypted with the account password. API usage I don't think would be visible to the user on the website, although Gatehub reported that it had its own logs of "suspicious" API calls.

2fa was bypassed by stealing the API access tokens, effectively allowing the attacker to act as if they were already logged on and not requiring further authentication. They probably wouldn't have used the web interface to do anything, it would have been scripted API calls. 

Link to post
Share on other sites

The perpetrator (me) has said everything on this thread, no need to speculate.

I believe I didn't insist on Hashkiller's involvment for nothing: they cracked bcrypt hashes, they targeted high value wallets and the whole hashkiller was on it given the rewards (I've talked about 50 000€, sometimes much more).

They used some already dumped passwords from other databases, for example:

userwithfunds@gmail.com:strongpassword123 ->linkedin breach

they tried the bcrypt hash of the gatehub database as follows:

Strongpassword123

Strongpassword123!

Userwithfunds123!

In short, they joined public dumps with gatehub dumps to crack most of the bcrypt, the other hashes were cracked with effort and willingness....

That's why I came to you: I was myself living a huge injustice.

I won't talk about the case, but some good news are coming for you.

Link to post
Share on other sites
3 hours ago, Fanna said:

The perpetrator (me) has said everything on this thread, no need to speculate.

I believe I didn't insist on Hashkiller's involvment for nothing: they cracked bcrypt hashes, they targeted high value wallets and the whole hashkiller was on it given the rewards (I've talked about 50 000€, sometimes much more).

They used some already dumped passwords from other databases, for example:

userwithfunds@gmail.com:strongpassword123 ->linkedin breach

they tried the bcrypt hash of the gatehub database as follows:

Strongpassword123

Strongpassword123!

Userwithfunds123!

In short, they joined public dumps with gatehub dumps to crack most of the bcrypt, the other hashes were cracked with effort and willingness....

That's why I came to you: I was myself living a huge injustice.

I won't talk about the case, but some good news are coming for you.

Thank you for your contribution even If you're one of the helped getting access to GH, any estimation when we'll receive update on this case

and do you think the update will be from LE or GH?

Link to post
Share on other sites
6 hours ago, Caracappa said:

I thought I read on multiple occasions that wallets were emptied without access to the GateHub account. There were no entries in the log of acces, no 2fa or IP alerts. So didn't the hackers just acces hashed secret keys in combination with wallets? And thats why GH rehashed and re-keyed all the wallets last year.

This is correct. I used an email address that was exclusive for Gatehub only. I also changed email address 3 times over a two year period, with the most recent being 2 months before the hack. I also changed the passwords each time using 18 characters and not passphrase.

Link to post
Share on other sites
5 hours ago, Fanna said:

The perpetrator (me) has said everything on this thread, no need to speculate.

I believe I didn't insist on Hashkiller's involvment for nothing: they cracked bcrypt hashes, they targeted high value wallets and the whole hashkiller was on it given the rewards (I've talked about 50 000€, sometimes much more).

They used some already dumped passwords from other databases, for example:

userwithfunds@gmail.com:strongpassword123 ->linkedin breach

they tried the bcrypt hash of the gatehub database as follows:

Strongpassword123

Strongpassword123!

Userwithfunds123!

In short, they joined public dumps with gatehub dumps to crack most of the bcrypt, the other hashes were cracked with effort and willingness....

That's why I came to you: I was myself living a huge injustice.

I won't talk about the case, but some good news are coming for you.

Is this you on raid forums? Are you Gnosticplayers that previously posted his confession here ?    I am not fluent with how the hashes were cracked, are you refuting or agreeing with what this individual posted here on Raidforums in regards to Hashkiller.couk complicity in this ?   What I would really like to know is when exactly this  2017 database was stolen ?  

706056FE-E5B5-42D0-BF90-CFF0C741B410.png

Link to post
Share on other sites
4 minutes ago, Jillian said:

Is this you on raid forums? Are you Gnosticplayers that previously posted his confession here ?    I am not fluent with how the hashes were cracked, are you refuting or agreeing with what this individual posted here on Raidforums in regards to Hashkiller.couk complicity in this ?   What I would really like to know is when exactly this  2017 database was stolen ?  

706056FE-E5B5-42D0-BF90-CFF0C741B410.png

I do agree with him, since both the gnosticplayers3 of raidforums and the gnosticplayers who posted the confession there is me.

No conspiracies, the bcrypt hashes were fully cracked by HashKiller.

Link to post
Share on other sites
22 minutes ago, Fanna said:

I do agree with him, since both the gnosticplayers3 of raidforums and the gnosticplayers who posted the confession there is me.

No conspiracies, the bcrypt hashes were fully cracked by HashKiller.

I Appreciate this.  Out of all the gd high volume wallets why could you not have just hacked Chris Larson or Brad Garlinghouse wallets.  I mean damn,  really, why you gotta take out us small guys. Just so you know Gatehub does not give a shit. These were not their coins that were stolen.  You all should probably consider thanking them for indirectly helping you.

Link to post
Share on other sites
1 hour ago, Jillian said:

This is correct. I used an email address that was exclusive for Gatehub only. I also changed email address 3 times over a two year period, with the most recent being 2 months before the hack. I also changed the passwords each time using 18 characters and not passphrase.

I can second this as well

Link to post
Share on other sites
6 hours ago, Jillian said:

This is correct. I used an email address that was exclusive for Gatehub only. I also changed email address 3 times over a two year period, with the most recent being 2 months before the hack. I also changed the passwords each time using 18 characters and not passphrase.

And were you hacked? In no way a 18 character password can be cracked.

Link to post
Share on other sites
1 hour ago, tulo said:

And were you hacked? In no way a 18 character password can be cracked.

Yes, I sure was.   I actually put my password in Have I been pawned Site and it came up as Not  pawned and neither was the email.  I also went back and confirmed previous passwords and emails used for Gatehub and again none were showing not pawned. 

Edited by Jillian
Link to post
Share on other sites
7 hours ago, Jillian said:

Yes, I sure was.   I actually put my password in Have I been pawned Site and it came up as Not  pawned and neither was the email.  I also went back and confirmed previous passwords and emails used for Gatehub and again none were showing not pawned. 

I doubt the hack went that way. First: he hack wasn't record in the access log and second: in my case I found it weird that they didn't touch my largest XRP account. That time I did manage 3 on ledger accounts in a GH wallet (didn't make use of hosted accounts) with my funds asymmetrical spread over those 3 accounts. The largest account was far bigger than the one they took away. If they had access trough pasword hack they could have taken all 3 in no time....

Link to post
Share on other sites
9 hours ago, Jillian said:

Yes, I sure was.   I actually put my password in Have I been pawned Site and it came up as Not  pawned and neither was the email.  I also went back and confirmed previous passwords and emails used for Gatehub and again none were showing not pawned. 

You absolutely certain that you tried all email addresses that you would have used? I'm now wondering if it was maybe not a 2017 database that was stolen, as having checked haveibeenpwned, it does not contain my email address from 2017 but does contain an email address that I used in 2018...

I don't think that haveibeenpwned would have Gatehub passwords searchable, because the leaked database doesn't contain them in plaintext.

1 hour ago, kanaas said:

That time I did manage 3 on ledger accounts in a GH wallet (didn't make use of hosted accounts) with my funds asymmetrical spread over those 3 accounts.

Hope you re-keyed those funds in case they were just overlooked by the hackers? The layout of the database may not have made it obvious which keys were encrypted with the same password unless they wrote a script to check. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.