& to add, compromised accounts would also make it possible for scammers to take over social media properties. I hope it didn’t happen, but who would be responsible?
Like @trending said, people should start using 2 step verification.
2 Likes
Yikes. The good news is those compromised users didn’t have any active transfers. But if such a rare occasion was bound to happen, I guess the account holder of the compromised account would be held responsible, providing that we could prove negligence on his part.
This situation nudged us to review our policies and revamp our security. Expect a few changes in the upcoming 1-2 weeks.
Would forcing 2-FA upon everyone be too much?
2fa would be too much to ask for everyone. What if somebody loses their phone and/or backup codes. How could you genuinely give them access again? Sending an email from their account wouldn’t be enough because that would simply negate the purpose of 2fa.
I lost a bitcoin wallet because I had to reset my phone and wasn’t able to get the 2fa back and didn’t have the backup codes. Luckily it was less than $200.
Not sure if it’s possible, but you could implement a system which triggers a new login from a different IP and/or device, which makes the user confirm the login via email. Even EpicNPC has that 
1 Like
We have something like that but for admins, not sure if we can enable this for users without rewriting the code, but we will look into this.
1 Like
I guess a simple email/PIN confirmation would work, no? Like on IG?
1 Like
Or even better, phone PIN. This could work since we already have users phones on file.
After a successful security audit (just to make sure) our server admins found no breach on our end and this is the end report.
Who attacked?
This was a single individual who basically guessed the passwords of the compromised accounts. He did not use many attempts for these accts. I think these users might have been reusing their passwords and they got compromised elsewhere. Discourse does not store passwords in plain text, they are encrypted in an unrecoverable way.
Who fell victim?
Not counting the 10+ people who went offsite and go conned, three. Three user accounts were compromised.
- miccheckglobal
- multimrweb
- garzuaga
Who else was at risk?
Here is a list of accounts that he tried to access but looks like he did not succeed:
@8mihai
@Fika54
@Gelvisga
@Iamyasser
@Jeronimo034
@UniqueFlips
@arnonh
@Dani
@dori
@gogarise
@Mac
@gxs179
@carlos_marin
@julianjewel
@junejaurjit
@kiesix
@master87
@mie5110
@nestageez
@rockstard112
@SpinX
@rp2288
@sharmashiv212
@summi08
@Tedsk
@travis3386
@verifymylife
@veteranheroe
After further digging our server admins found his SWAPD account
This guy seems to have his timezone set to Guatamala, he is the only user that has this, so it is easy to recognize. The timezone is supplied by the browser so he is probably actually there
This started 2020-08-31 21:39:51
he created the account @Bigswallow on 2020-09-01 03:30:57.298679
Possibly the attackers’ info (this is the info supplied at signup, not sure if valid).
Phone: +19514280669
Facebook: Facebook
Email: ddcjr187@gmail.com
Found him banned on Sythe.org for scamming: RoatzPkp Shop (ONLINE NOW) | Sell & Trade Game Items | OSRS Gold | ELO
He goes under the nick ddcjr187 on many gaming forums. I could probably dig up a lot more info.
2 Likes
Here’s the pig;
https://www.linkedin.com/in/dennis-condomitti-868737158/
For once, can’t find any additional emails on him
His dad I believe.
1 Like
GF / EX Gf / Maybe mother of kids?
now im going to leave it to the professionals like boogeyman
With my account everything is ok. Dont understand why he need our accounts? 
Curious how people are getting scammed. Isn’t there an escrow service on this site to prevent getting scammed lol. (Except accounts getting pulled/reverted)
He told them to deal with him off site so he could scam
1 Like
Thank god he didnt try to hack my account. The password was fairly easy ( now changed ) - “SwapdSucks”
Yeah thank god we have an awesome moderator who opened topics for the scammer 
Truly the lowest IQ.
5 Likes
Force 2FA. Everyone should get used to it because they are doing social account trades and they should already be familiar using 2FAs everywhere.
If someone loses 2FA, lock their accounts for a week and remove 2FA afterwards upon verification of the registered number OGP (Original phone used for verification) and other details during verification. Phone numbers can be changed so user can only verify the registered number only by filing a form. You also need a form to report if someone is hacked. You can wait a week for an inactive account and if not being reported as hacked, reinstate 2FA with verification. You can also ask their registration IP address or other IP addresses on file. This might put another business mechanics burden but members will feel more safe.
Non-verified accounts should not be able to reset their 2FAs. This will also motivate them to get verified to secure their accounts.
1 Like
What? This sounds scary