Bug causes inadvertent security notification emails

[Chris Sokolowski]

Hi Everyone,

I wanted to explain what is happening with security notification emails. I first want to emphasize that these messages are not a result of a hack or breach of our security.

I was performing a routine check of our services today, and I discovered that there was one customer with an invalid email address that was causing the routine that sends security notifications to fail. When I fixed the issue and the routine executed properly, all queued emails from the past three weeks were sent at the same time.

These notifications are correct, but they are not for changes made today. They are related to account changes that have occurred since May 21. If anything was changed multiple times since May 21, then multiple emails would have been sent today. Note that a security notification is sent if anyone changes a payout address or email address, even if it was the account owner and the change was intentional.

If you received a security notification, I recommend checking your account's payout addresses and email addresses to be sure they are correct. However, most likely you will not need to take any action because you were the one that changed the information and the email was just a routine warning.

I apologize for the issue and any concern it has caused. If you have any questions, feel free to ask. Thank you for mining with us.

Sincerely,

-Chris Sokolowski

[holygoof]

Thank you for the quick breakdown Chris.
Good

[bachel]

So my payout address was definitely changed how do you explain that?

[Steve Sokolowski]

So my payout address was definitely changed how do you explain that?

Unfortunately, we can't explain how your payout address was changed, as that is out of the scope of this issue. The most likely cause is that someone obtained your password and changed it.

The scope of this post is solely to explain that E-Mails indicating payout address changes were delayed by a few weeks. There were no widespread hacks; the only impact was a delay in sending E-Mails, for which we apologize.

[Foxx]

not sure if this feature is enabled here or not (as it has been some time since i have actually mined here) but on other pools, as a security feature, everytime a payout address is modified, payment is suspended for 24/48 hours. being that most will notice when a payment is missed, this feature helps to stop theft before it happens.

[bachel]

So my payout address was definitely changed how do you explain that?

Unfortunately, we can't explain how your payout address was changed, as that is out of the scope of this issue. The most likely cause is that someone obtained your password and changed it.

The scope of this post is solely to explain that E-Mails indicating payout address changes were delayed by a few weeks. There were no widespread hacks; the only impact was a delay in sending E-Mails, for which we apologize.

So the 20 others in the chat this morning with the same problem all got fished ?

[Steve Sokolowski]

So my payout address was definitely changed how do you explain that?

Unfortunately, we can't explain how your payout address was changed, as that is out of the scope of this issue. The most likely cause is that someone obtained your password and changed it.

The scope of this post is solely to explain that E-Mails indicating payout address changes were delayed by a few weeks. There were no widespread hacks; the only impact was a delay in sending E-Mails, for which we apologize.

So the 20 others in the chat this morning with the same problem all got fished ?

fished?

If you mean "phished," as in someone stealing information, then the answer is no. There were no systemwide hacks.

[qosmio]

1st this happened to my was in april 2018, I had not 2fa enabled and got back into my account after 3 days and I lost one payout because the address was changed, I fixed all back and enabled 2fa, yesterday 8jun18 it happened again and I could not get back into my account since 2fa did not send me the code to login. so I have to move my miners to another pool since I cannot use my account anymore and not want to mine and someone else get my payout. Can you fix my account so I can use it again? account: qosmio

[bachel]

Unfortunately, we can't explain how your payout address was changed, as that is out of the scope of this issue. The most likely cause is that someone obtained your password and changed it.

The scope of this post is solely to explain that E-Mails indicating payout address changes were delayed by a few weeks. There were no widespread hacks; the only impact was a delay in sending E-Mails, for which we apologize.

So the 20 others in the chat this morning with the same problem all got fished ?

fished?

If you mean "phished," as in someone stealing information, then the answer is no. There were no systemwide hacks.

So why did so many payout addresses get changed ?

Miracle Hack or Devs who develop on a live system without testing anything before hand ?

[dnprod]

request for improvement to the notification email:
1) state which coin it's talking about
2) it says "Action: Payout Address Changed" however the same email is generated if the minimum payout amount is
changed. so perhaps rephrase it to say "Payout Address and/or Minimum Amount Changed" or something similar.