Alphabay statement on PMs bug (fixed now)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

We have been made aware of the bug that allowed an outsider to view marketplace
private messages and we believe that the community has the right to be made
aware of what information was obtained and what was done to mitigate the issue.

!----- What did the attacker obtain? -----

1) Marketplace PMs not older than 30 days, up to ID 2609452. IDs are not always
sequential, as 218,000 messages were obtained.
*** Conversations who did not receive a message in the last 30 days were not
affected, as they were automatically purged *****
2) List of user IDs + username (nothing more).

!----- What steps have been done? -----

The attacker was paid for his findings, and agreed to tell us the methods used
to extract such information. Our developers immediately closed the loophole in
order to protect the security of our users.

!----- Anything else? -----

No other information was obtained. All your forum PMs, order information, BTC
addresses, etc. are safe. Only recent (less than 30 days) PMs were obtained.

!----- What to do now? ------

No action is required from anyone, but we remind everyone to ALWAYS ENCRYPT
SENSITIVE INFORMATION such as addresses, BTC addresses, tracking numbers,
etc.

Thanks to everyone for being a loyal customer, and to apologize to the community,
we will be offering 20% discount on Escrow fees for the next week on all marketplace
orders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJYhLn6AAoJEOAZpE/dncxmydsH/Rt8HfmRbBWd9Q1ZrMjNRLgu
D+Kyx5uFWugRA8ieWww+xErl3IPK3+JgM0/r9WKGnjLIjm9YC9TuKFMwUPDJLo4f
/z/om/qEbCiPOu0q3+2/W4mF4k81t/+5rhM966gMvOtEgBsE163u7WSTW7mHOh4K
fPNTYyyWZ1tS9XLOnUS+2VDAKe9L73lekPi/KntM9DDLtKc3EWMv+05PwQrZSkUn
jfvKc1NAPYjmesLuNuifH7eMo2FbAwjS5YySXf+Wb0WzVD5rVMXyxg5tr0+6pO7L
1eAbloyBnk5gCydAZlTgo3f6pOfFtyZTai4xkPae220h2/842GoWlZZaBC3+GBY=
=uLM7
-----END PGP SIGNATURE-----


Comments


[26 Points] JustAnotherChem:

This is basically just a solid reminder to not leave any sensitive opsexy information un-encrypted. Still a major fuck up but anyone with sense has nothing to worry about and now its been fixed with an apology, not bad.


[14 Points] BFCDNM:

How much did you pay the guy?


[11 Points] HeyGuysImMichael:

I bet you it was that 4chan guy


[5 Points] ciddylucy:

Is it back up now? I just put an order for the first time on AB -_-


[5 Points] ForLol_Serious:

Was this the work of hacks4crack?


[2 Points] gunthermcadams:

Question: The censored screenshots at https://www.reddit.com/r/DarkNetMarkets/comments/5pg8tn/highrisk_bugs_regarding_alphabay_marketplace/ show unencrypted messages. Would the in-site PGP have encrypted those messages or did the senders really send all that unencrypted? Personally I ALWAYS locally and manually encrypt sensitive info myself and never rely on a market to do it.

Let this be a lesson to everyone to always manually PGP encrypt sensitive messages with the vendor's public key and never trust anyone else to do it. Do not order until you know how.


[3 Points] pinochetHA:

I don't understand why Alphabay is still listed on the superlist and why otherwise reasonable people use it to buy and sell drugs which could land them with a prison sentence. If a market cannot keep private messages private you should not fucking trust it. Again: you should not fucking trust it.

This is your safety and freedom which you are playing with so we don't have to be impartial or fair. That bullshit is for people who aren't taking big risks. If a market makes basic mistakes then use another market. Maybe those basic mistakes haven't compromised you personally this time. But basic mistakes do suggest they aren't really in control of their own situation and just hope that whoever discovers the vulnerbilities will be cool about it and take a payoff.

Lets give that some emphasis: If AB is compromised again and your info is at risk the only thing between you and law enforcement and maybe the public gaining access to your info is the hacker being a cool guy or girl. It would be nice to think that its all good now, this vulnerbility is fixed and Alphabay has kindly apologized. It would be nice to say lets show appreciation to Alphabay and give them another chance. But seriously fuck that. Put yourself first, because clearly that is what Alphabay does.

You as a darknet buyer or vendor deserve secure platforms to trade on. You pay the markets a lot of money to provide those platforms. Alphabay has consistently failed to provide a secure platform. You can read about their past fuckups here: https://www.reddit.com/r/DarkNetMarkets/comments/5inpbt/thank_you_ab_coders/db9zblf/

Stop accepting less than you deserve. Don't gamble on markets which can't even do the simple things right. If you are an intelligent darknet user who always practises good opsec (gpg messages only, 2fa, Tails os or whonix or Qubes os, complex passwords, good isolation) then don't let a shitty market be your weakspot. There are no guarantees that any other market you use will be secure, but unlike Alphabay not all other markets have advertised and guaranteed the fact that they are really insecure.

Ooohh but a 20% discount on escrow fees!!? That makes it all OK :)

Edit: Going to respond here to some of the comments as otherwise it will be burried. Banks have a poor record of online security because they outsource the building of web aplications and try to cut costs to the minimum. That translates to low quality work which is easy to exploit. Apple has a massive attack surface so yeah there's that.

Alphabay has failed at the simple stuff and this compromise is nothing like Apple. AB published an insecure API in the past. This hack (apparently) didn't take much time to exectute. If they cannot get simple things right, then it looks pretty bad for the more difficult aspects of keeping your darknet market secure.

Yes every darknet market is insecure in some way. Every web application is in some way insecure. Read what I wrote, it doesn't claim otherwise. That does not mean that every market is equally insecure. Some are better than others. Alphabay is pretty bad. "Coding this shit is hard!" doesn't excuse their basic fuckups. Why choose the market which gets basic security wrong? Others might be as bad when they get more traffic, but they might also be better (eg. Agora had a good security record).


[1 Points] ItGotZenified:

This is why you should use TDC