[Action required] Security attack on Reviewhunt.com
Today, we noticed that there were security attacks on Reviewhunt website. We received a report at 12:49 am (KST) when a user discovered that his/her HUNT tokens were transferred without their knowledge. After receiving this message, we ran an investigation and found a server log that shows login attempts by an automated script using login pairs leaked from another website.
Based on our investigation, it appears that this security attack was carried out in the following ways:
- The hacker may have attained thousands of email addresses and passwords from other websites.
- The hacker ran an automated script that attempts to login to Reviewhunt by using the email-password pairs from the hacked websites.
- Most of the email addresses that they attempted were not Reviewhunt accounts, but a few of the users’ account information matched. So far, we have received 4 reports from our Reviewhunt users that said their account has been accessed by the hacker and a total of 51,125 HUNT tokens were transferred (we presume that their login information was the same as the leaked information from the hacked websites).
As soon as we found out about the security attack, we halted all the withdrawal requests in order to prevent the hacker attempting more log-ins to our website with the email-password pairs leaked from outside sources. If the hacker tries after we have halted the transfer system, the withdrawal transaction becomes a “pending” status.
If you find any pending withdrawal transaction that is not attempted by you, please contact us via the #hunt-token channel on our Discord group. We will stop (rollback) the transaction. Unfortunately, we have no way to help you if the transaction has already been processed (it means that the hacker had already transferred tokens by using the login information leaked from an outside source before we halted the transfer system).
We will keep maintaining this withdrawal suspension for all Reviewhunt users until January 28th (Tue), 2020, 6 pm KST just in case of rollback requests from pending transactions. We will approve the transfer requests altogether after the time.
As we informed earlier, Reviewhunt will be relaunched on January 29th, 2020 with the new Blockstack authentication. All the user records will be reset and you need to join Reviewhunt again via the Blockstack system. Also, we strongly recommend that you use different password information on each website to prevent security breaches from other websites.
Kudos for swiftly responding before things got worse. I just checked my wallet and everything seems fine.
Posted using Partiko Android
There must be an extra security layer implemented which asks for a verification email or a Google authentication code upon withdrawal.
We're going to use Blockstack authentication on the new version of Reviewhunt, which requires full seed phrase to login and I guess this can be much safer than Email/Password authentication.
We'll definitely do 2-factor auth too on our wallet in the future.
That souds cool. Thanks for the reply.
I was going to say this
Posted using Partiko Android
To listen to the audio version of this article click on the play image.
Brought to you by @tts. If you find it useful please consider upvoting this reply.
"The hacker ran an automated script that attempts to login to Reviewhunt by using the email-password pairs from the hacked websites."
This is a good reason for websites to use two-factor authentication (2FA).