ba
Mysterious Hamster 6mo ago 💬 68

We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.

We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.

I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.

We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.

Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.

This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.

nostr:nevent1qvzqqqqqqypzpggzvz325tcf9kz79s9c9627430ccc82r8rgujycwxd43n92y037qy88wumn8ghj7mn0wvhxcmmv9uq32amnwvaz7tmjv4kxz7fwv3sk6atn9e5k7tcqyrdx8njpnvvulfcsqqd7ud47uw6dnzl4a3fmsrafsp0rte9f29h5uxpgg73

Reply to this note

Please Login to reply.

Discussion

ba
Mysterious Hamster 6mo ago

We have disabled all auto-withdrawals for the time being until we get a better handle on the situation.

8b
Optimism 6mo ago

If you can dump an image of your disks to an encrypted external drive, the best time was before you changed anything. The next best time is right now.

Avatar
Lois 🧘‍♀️🫖✨🙏 6mo ago

Unable to zap.... No lightening wallet found.

Avatar
GHOST 6mo ago 💬 1

There is no such thing as rotating Nostr keys

Avatar
Ryan 6mo ago

💯

Once your key is compromised it's over. New game plus 😬😅

Avatar
Psilocyberbull 6mo ago

New game plus lmaoooo I cant not zap that

Avatar
hoppe2 6mo ago

I didn't want to know this,😔

Avatar
nostr.build 6mo ago

That is a business professional way of saying, ‘you’re fucked’

Avatar
TKay 6mo ago

TKay tried flipping, it was not effective!

?cid=9b38fe914kreabh1c6thtwtf6tpdv5iko6iihywf1lmuz39k&ep=v1_gifs_search&rid=giphy.gif&ct=g

Avatar
TKay 6mo ago

Wow. I hope I never did something stupid with my nsec.

But we really need to find a way to stop this single point of failure.

Avatar
Eporediese 6mo ago

Avatar
TKay 6mo ago

Pretty much 🤣😂

Avatar
Ray Buni 6mo ago

Keep your nsec safe people. Don’t just copy and paste it everywhere.

nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpp4mhxue69uhkummn9ekx7mqwjqt9e

Avatar
Psilocyberbull 6mo ago

I hope everybody learns a valuable lesson about third parties

Avatar
𝙲𝚘𝚖𝚙𝚘𝚗𝚎𝚗𝚝𝚎 08 6mo ago 💬 54

Galera, um aviso importante.

Saquem seus sats da Coinos, estão surgindo muitos relatos de carteiras drenadas.

A nostr:nprofile1qqst4qyeqenw7zm0fwjsty68h6cnys5jre2xd8ngqpjv5a2j26s78fspz4mhxue69uhhyetvv9ujumrfvecxz7fwd4jsz9thwden5te0wfjkccte9e3k76twdaeju6t0qy28wumn8ghj7un9d3shjtnyv9kh2uewd9hsmryfpz se pronunciou recentemente alegando de que está investigando o caso. Houve um vazamento de dados causado por um exploit em janeiro que pode ter armazenado alguns dados de usuários e os atacantes podem estar usando tais dados para adentrar a Coinos e saquear o saldo.

Leiam mais aqui:

nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gppemhxue69uhkummn9ekx7mp0qgst4qyeqenw7zm0fwjsty68h6cnys5jre2xd8ngqpjv5a2j26s78fsrqsqqqqqpysntnk

Avatar
Judge Hardcase 6mo ago

I love Nostr; but, generally speaking, nsecs shouldn't yet be counted on to keep anything important secure... except maybe by someone who *really* knows what their doing - which necessarily means they would know not to be sharing their nsec(s) with any 3rd parties.

nostr:nevent1qvzqqqqqqypzpw5qnyrxdmctda962pvng7ltzvjzjg09ge57dqqxfjn42ft2rcaxqqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52g9e9955

Avatar
Cameri🐦‍🔥 6mo ago

Np I’ll just rotate my keys…. Wait a minute

Avatar
tanel 6mo ago

like, inside out or?

Avatar
Cameri🐦‍🔥 6mo ago

I’m just bouncing off the elliptic curve here

I’m still inside

Avatar
tanel 6mo ago

lemme know when you make it the whole way around pls

Avatar
semisol 6mo ago

update I tried this and now I have become a shift register

Avatar
Cameri🐦‍🔥 6mo ago

I worry I could end up where I started on the curve

That’s the stuff that keeps me up at night

Avatar
tanel 6mo ago

whatever rotates your key man

Avatar
teatwo 6mo ago

Avatar
Ray Buni 6mo ago

😂

Avatar
Uno 6mo ago

Think he means create new Nostr keys entirely ? 🤔

Avatar
cuban 6mo ago

nostr:nprofile1qqsp3yzapfwkyw4cr2vt4xx9s27474lj2pkxhqyfqh79n826pv3fkzqpzpmhxue69uhkummnw3ezuamfdejsz9rhwden5te0wfjkccte9ejxzmt4wvhxjmcpp4mhxue69uhkummn9ekx7mq8gj7q7 heads up, not sure if you're still using coinos but nsec may be compromised

Avatar
node 6mo ago

Thanks Cuban. Saw that. Never used the forwarding feature. But I emptied the wallet and switched to primal NWC just in case.

Avatar
markonyte 6mo ago

I know you are currently fixing things. Is this why I cannot login to my coinos?

ba
Mysterious Hamster 6mo ago

Are you still having issues logging in? Please email support@coinos.io

Avatar
markonyte 6mo ago

Yeh. "login failed". My account wasnt connected with NOSTR

Avatar
Weatherall 6mo ago

a handful:

Avatar
crany 👽🧡🗿 6mo ago

oh my

Avatar
bitcoinranger 6mo ago

Ooof!

Avatar
The Bullish ₿itcoiner 6mo ago

Might be worth checking for this address too.

nostr:note1ezvpf8dzcf6anplwjlgyqpppye27wgdh6aheu5p5fn35twpqxyws93cpyd

Avatar
The Bullish ₿itcoiner 6mo ago

Good luck with the investigation. Here’s to coming out stronger from this. 👊

Avatar
Uno 6mo ago 💬 4

I’m sorry but this is simply unacceptable. One to be storing private keys in the first place this way and two if you have known hackers that have hacked you before to that degree you need to tell everyone I mean EVERY ACCOUNT about this.

nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpp4mhxue69uhkummn9ekx7mqwjqt9e

Avatar
Kayne 6mo ago

Why are you storing private keys on file? That seems very irresponsible

Avatar
₿oniz23⚡️🏴‍☠️🇮🇹 6mo ago

😳😳😳👀🤦‍♂️

Avatar
Kabrontutan 6mo ago

It happens to the best of us

Avatar
Moss 6mo ago

Keep up the great work. Thanks 🫡

Avatar
Guy Swann 6mo ago 💬 6

This is why remote signing, extensions, possibly sub keys, etc all need to be a standard. This sort of problem at scale would be a disaster. #Nostr keys are precious and a major problem still remains that many clients or services still have a place to paste private keys to login or use the service.

Be extremely careful with this and if you aren’t sure if you are using keys client side only, then opt out until a better option is available.

Love CoinOS btw, this isn’t a dig and they’ve implemented most of the above options for this reason. Just really important to know the trade offs with things like this.

nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpp4mhxue69uhkummn9ekx7mqwjqt9e

Avatar
Ben Arc 6mo ago 💬 2

Once upon a time I remember we used to complain bitcoin/nostr stuff wasn't attacked enough as people liked the projects. These days attacks are constant, sophisticated and from every direction, many state sponsored. Its ultimately a good thing for hardening and something users should be prepared for using bleeding edge, but of course very painful.

I salute you brave users/developers🫡

nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gppemhxue69uhkummn9ekx7mp0qgst4qyeqenw7zm0fwjsty68h6cnys5jre2xd8ngqpjv5a2j26s78fsrqsqqqqqpysntnk

Avatar
₿k 6mo ago

I’m still here for you <3

1d
1d142ed5... 6mo ago

I hope you all learn a valid lesson from this. I Storing private keys is massively irresponsible and you should be held accountable.

Avatar
Reverend Hodl 6mo ago

Transparency and full disclosure. It's not the easy way, it's the right way. Thank you Coinos.io for your continued efforts to harden and fight off the actors who will inevitably go after sats wherever they may be. It is more important than even, that we all learn to self custody and do regular sweeps to protect ourselves from these threats. 💪🫡

nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gppemhxue69uhkummn9ekx7mp0qgst4qyeqenw7zm0fwjsty68h6cnys5jre2xd8ngqpjv5a2j26s78fsrqsqqqqqpysntnk

Avatar
Anhern Sarsalor [IQ: 102] 6mo ago 💬 2

Sorry guys. This kind of failure is unacceptable. This is why users need to have self custodial user friendly wallets. This is what always happens when you rely on a third party for your wallet, and that third party has any control whatsoever.

Coinos themselves are at fault for this issue, but only in so far that this will happen to every single custodian, at one point or another. They made some bad security decisions, but that's unimportant. They could have done everything correctly and eventually something would have happened anyway.

This is why self custody is necessary. Mistakes happen, most of the time the custodian is not evil or malicious, it's the very ability to have control over another's funds or data that is the problem, almost never who the controller is.

What coinos did right is the user friendlyness. I liked coinos, it works, the ui is clean and simple, and getting setup is incredibly easy. But they took custody of user funds, and that's always a problem in the making.

The wallet integrated in animestr will be entirely self-custodied, and still be as intuitive as coinos (if not more)

nostr:nevent1qqsfsg878u9luv2sxm6yahyjr4zpt745rdfpuu47wnn9t2dskgem52gpzamhxue69uhhyetvv9ujumn0wd68ytnzv9hxgtczyzagpxgxvmhskm6t55zex3a7kyey9ys723nfu6qqvn9825jk5836vqcyqqqqqqg658atz

Avatar
Niall Young 6mo ago

#NYKNYC-OS