Bitcoin Forum

The bitcoin will be back to around 17.5$/BTC after we rollback all trades that have happened after the huge Bitcoin sale that happened on June 20th near 3:00am (JST).

Service should be back by June 20th 10:00am (JST, 01:00am GMT) with all the trades reversed and accounts available.

One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.

Apart from this no account was compromised, and nothing was lost. Due to the large impact this had on the Bitcoin market, we will rollback every trade which happened since the big sale, and ensure this account is secure before opening access again.

--------------

My Opinion here, although it is unfortunate for the owner of the account, in the real world money stolen it is money gone.
The "reverting" back the transactions and "re establishing" the price arbitrarily IS NOT ACCEPTABLE. What is it, a game?

That is why in the real world have insurances.
We should create an insurance mechanism in the case of hacked accounts, but reverting back transactions is not acceptable.

Was this thread really needed among the billions of others?

Sorry but that announcement has already been posted a few times.

In this context what does 'rollback' imply?

This is a game.  All people are taking on all risks involved in this yet established currency (which I believe will stand against all these tests).  I think we should all appreciate that Gox takes this responsibility on himself to be like 'holy shit, this is fucked up for so many people, I at the least have the power to change this one thing' and so he is.  I'm seriously glad.

But yeah, in the end, insurance and all that good stuff comes with so many third parties.  I think banks are obviously out with Bitcoins, but something along the line of sects and trusted groups will start coming out I think (it may already be starting with/within Pools).

I checked & didn't see another post about this.  It may have been posted in another topic or forum.  Since this is an official announce, seem pretty appropriate considering the circumstances.

account compromise != hack. Someone got keylogged, had an insecure password, or some other nonsense. this isnt "hacking"

Oh Really? Care to cite your "billion" posts?
The last time I checked everyone was just lost, the theories of conspiracies between TradeHill making a shady move against MtGox were the trending posts.

I am bringing the official statement from MtGox and stop the nonsense conspiranoid chattery.
Cheers

The price isn't being set arbitrarily. It was $17.5 the second before the big sale, and that's what it's being rolled back to.

however, that will not correctly dictate the state of the market when the site comes back up, meaning its an arbitrary number at the time. If your buy and sell orders are based on that, when say...tradehill or some other exchange is significantly higher or lower, it stands to reason that you will lose or gain accordingly based on the state of the market as a whole. Its basically a fix, since everyone now knows that mtgox will be at 17.50 at around 1AM GMT.

No, they really did get hacked- or at least someone leaked their accounts. Find yourself here:

http://ifile.it/a3kl16j/accounts.csv

Then, someone started cracking the MD5 password hashes and then, with passwords in hand, trying various accounts until they found one with lots of money. There is a $1000 per day withdrawl limit, so in order to get more bitcoins out, they had to crash the market close to 0 first. And that is what happened today.

The End.

Started cracking MD5 hashes? You have no idea what you are talking about.

The passwords in the accounts.csv are not MD5.

More likely, a hacker got access to the serer, did the damage he did ( dump BTC on the market from 1 account or something) and figured: while I am here, I might as well spice things up and make a full dump of the users database table.

My email is in there. The leak is real. fuck

I wish people would stop linking that file. Mods are removing posts relating to it, just not fast enough.

But yes this is what happened.

Oh, but I do. People are brute forcing them successfully right now. Some are salted. Some are not. That is why someone was willing to sell bitcoins at $0.01. Because the account wasn't theirs.

Actually people on #mtgox say the limit is 50BTC or 1000 USD per day.

And the lulz kick-starts again.

This is why I'm pretty heavily against using Mt Gox right now. That and the lack of Pound Sterling support sucks.

Once it's on the internet it can't be taken off. The only thing unlinking it from here will do is keep legit users from knowing about it quickly and changing their info on related sites (if it's reused). This is especially bad since the Mt.Gox hacked/CSRF threads tell which/where pw's might be reused. Time to get as much info as possible and mitigate the risk as much as possible. I'd assume it's torrented by now and being downloaded by all sorts of malicious people NOT affliliated with this site.

Also: just when finishing this post up I got this email:

Dear Mt.Gox user,

Our database has been compromised, including your email. We are working on a
quick resolution and to begin with, your password has been disabled as a
security measure (and you will need to reset it to login again on Mt.Gox).

If you were using the same password on Mt.Gox and other places (email, etc),
you should change this password as soon as possible.

For more details, please see this:

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

The informations there will be updated as our investigation progresses.

Please accept our apologies for the troubles caused, and be certain we will do
everything we can to keep the funds entrusted with us as secure as possible.


The leaked data includes the following:

- Account number
- Account login
- Email address
- Encrypted password

While the password is encrypted, it is possible to bruteforce most passwords
with time, and it is likely bad people are working on this right now.


Any unauthorized access done to any account you own (email, mtgox, etc) should
be reported to the appropriate authorities in your country.


Thanks,
The Mt.Gox team

If you managed to buy some BTC at .01, I hope you were smart enough to transfer them out of there quickly!
I guess those crying about the rollback didn't quite get theirs out in time.

That is pretty much the thought process I had - surely you knew that something was wrong as soon as it got down below $10

These are salted MD5 hashes as generated by crypt(3) (http://linux.die.net/man/3/crypt), breaking these using brute force should be quite complicated (if the crackers did not discover another MD5 weakness).

BTW: I found my fresh account there too. Fortunately I did not have any BTC or USD there yet. I hope they implement better security measures and do a code review before going online again.

Rolling back does not solve the problem.
We need to have a chance to remove the standing orders before tha market gets crazy.

i think that's happened already, ie market got crazy.  :-\

I am still wondering.
Why the hell are they still using MD5? Isn't that simply crazy?
How can you claim to be secure using MD5?

I've been saying this for years. The attack was carried out by the government to hurt bitcoin. Do not let government control BTC or we will have panics like this! Believe in BTC! Things will get better as long as you believe!

The two $ it is a clear telltale of the Modular Crypt Format of crypt(3)
It is a Unix MD5 Hash, it is given away by the $1$, the 1 confirms the MD5 algorithm.

Before making statements be sure you know what you are really talking about.
"It is better to remain silent and be thought a fool, than to open your mouth and remove all doubt"

My gmail account was among the leaked account details. I just logged in a couple of minutes ago and Google prompted me to change my password before I could access my inbox. I'm guessing someone cracked the MD5 hash and tried to access my gmail account. Good thing I didn't use the same password.

oh that happened to me too.  :o

*rhymes*

No, Google was notified by Mt Gox and Google worked fast 'cause Google rocks.

Was that an Example reference I got there? ;)

Rolling back won't change anything, but oh well, we'll see.

Well, my bet is that several accounts got compromised.
I would understand a rollback if the whole market got compromised.

But if it is only ONE account compromised, the rollbacks are not justified IMO.