Coinos wallet on Damus unusable. Constantly running into limits ;(
Breaks the entire fun of zaps
Login to reply
Replies (53)
It was hacked, stay clear off of it
early accounts had a too small of a limit. we fixed it for new accounts but we donβt have a way for the original ones to change it yet
I canβt even get my sats out
Forget about them, if not much, otherwise sorry to hear about it
limits? doesnt sound like bitcorn.. π€
Bummer. I just want to get my sats out and stop using it.
Exactlyβ¦
Consider all sats you have there lost. If you do get them out, never look back.
Got about 53k there donβt want t to forget that
you can do:
echo -n βcoinos_password:$HEX_NSECβ | sha256sum
To get your password to login and change the limit
Or maybe I should say HAD π
Thatβs the attitude π€£
Where would Input this
I sent whatβs left to my ln address.
They went somewhere else π€£
coinois.io login
Give up before trying. Iβll have to teach this one to my kids π€£ π courtesy of uncle fishcake
facts
Wait a secondβ¦are you suggesting entering an nsec into a website login?
nowhere in my post says this
That should be the mental model, to save yourself from disappointment. Do try, and consider it a bonus if you succeed π€£π«‘
Thanks, had me worried for a sec.
I get login failed, do I need to swap hex for my hex?
Coinos has great support, just talk to them I think his name is @npub12ekp...tq0f
Yes you need to put your hex nsec in place of $HEX_NSEC
So, what do goobs like me do? I did not lose Sats but I can heed warnings.
I canβt find where my keys would be in Coinos security or profile settings. Should I drain the wallet and sign out? Where can I receive zaps now (I zap out of Primal wallet), should I just connect it as my receive zaps wallet? Halp!
π€
What issue are you having exactly?
Cannot zap any meaningful amount. Mostly just want to withdraw sats.
How do I sign into coinos if I got an address through Damus? Will told me but Iβm too retarded to make it work
Can you share more information about this? Please email support@coinos.io with the details of the transaction
Will do. Itβs very odd.
Just use a browser extension
That shows my balance as 0
Is that the same as what Damus shows?β¦
Iβd assume it right thoβ¦
No
Its a hash of the nsec. Coinos is compromised though, nobody should be using it anymore or at least for the time being
Iβm still using it, my account seems fine
Somebody else may already have. I think they said only 9 accounts were affected, but who knows
Did you have auto withdrawal enabled?
Oof you got drained probably
Just noticed our CoinOS wallet was completely drained!!
12k sats/ $12, not much but feel violated!
No tx out, no clues, just goneβ¦
GET YOUR SATS OUT OF COINOS!!!!!!
View quoted note β
View quoted note →
Not every account is affected, but check their page
We're still investigating what happened here. It seems a handful of accounts may have been compromised and had their autowithdrawal settings tampered with, including our own "coinos@coinos.io" account.
We ran a script to search for accounts that had the attacker's "speed.app" withdrawal address in place and found about 9 that seem to have been affected. There could be more though, we will update as we have more information.
I worry that this may be the same attacker who exploited a password reset vulnerability back in January which allowed them to gain access to a number of accounts. It's possible that since that time they have been sitting on the account data and working to brute force the encrypted nostr private keys that we had on file for some accounts that had imported their nostr key into Coinos. Those keys were encrypted at rest in our database but it's possible they may have been cracked.
We no longer store nostr private keys for accounts and have since added support for external signing apps and browser extension login, but there was a time when we were storing encrypted nsec private keys.
Having a users nsec would allow an attacker to authenticate into Coinos by signing a nostr event and change the user settings. It also means your entire nostr profile and identity may be compromised.
This is only a hypothesis at this point and we need to investigate further but we may end up recommending that affected users rotate their nostr keys.
View quoted note β
View quoted note →
No. The 2 are not the same acc
That seems really weird?
Yeah Iβm not sure how itβs set up but itβs always been the case
Yeahβ¦ really not sure eitherβ¦
Exactly.
Lol
username, your coinos user (that is in your profile). without the @coinos. password, do that sha256 of the string jb55 gave you with your hex nsec.
getting your hex nsec if you only have the nsec encoded one though.. i use my own tools for that.
signin with ext wont work for you, itll be a new account.
Thnx will tinker with this
