Unauthorized login to my HitBTC account - how did this happen?

So, over the last 24 hours I got a couple unexpected emails from HitBTC. The first two were "click this link to reset your password" type. Okay, so someone was trying to get in. But then they actually got in! While I was fast asleep, I received a "Successful login from new IP" email. The password (which was a strong, random ~16 character string) had been reset. Fortunately I was able to reset it myself and log in this morning - I don't think the attacker had a way to reset the email address linked to the account. And there was nothing to steal - I only have dust in that account - but still, I'm very concerned. The activity logs actually show 3 successful password reset attempts, coming from the Netherlands, Miami, and then Fremont over the span of several hours. wtf???

I think I may have been targeted because I posted a message in their trollbox without first updating my username (which defaults to your account email address, minus the @ suffix - ugh), so my login email address was effectively visible.

Ok, yes, I don't have 2FA enabled and I will absolutely add that right now. But still - how did the 3rd party successfully reset my password? Is there something unsecure about the password reset emails?

submitted by /u/Fosforus
[link] [comments]

Read More

Popular posts from this blog

World Economic Forum Bitcoin Discussions Validate the Movement

The World Economic Forum WEF has long been a lightning rod of global discussion on economic, social and political trends. This years gathering in Davos, Switzerland, was no exception.Blockchain technology emerged center stage last week as a key discussion theme, receiving praise from attendees for its cutting-edge potential. Bitcoin and the future of cryptocurrencies, too, were highly discussed topics at the forum, not just casually but also in an official session and a few panel discussions.
Read more