Bitcoin Forum

Hello everyone, MagicalTux is busy getting everything back in order on mtgox so he asked me to post here and answer any questions people have.

First, only a small amount of BTC was stolen. MtGox will refund the stolen BTC to the compromised user.

Everyone's bitcoins are safe on the site. We still are holding all the coins safely in reserve. The vast majority of the coins are stored offline so they are impossible to compromise.

He understands the rollback won't be popular with people who were able to pick up coins for .10 or whatever but none of those trades were legitimate so mtgox has a legal obligation to reverse the trades.

I'm sure when you think about it you don't actually want to buy stolen coins and take advantage of the situation.

Things have been very hectic with mtgox since MagicalTux took over. He has simultaneously been trying to fend off persistent ddos attacks, hire more staff, deal with the huge increase in users, improve the code to support the much larger trade volume, ensure regulatory compliance and deal with various security issues. Obviously things haven't gone as smoothly as we would like but we can see the light at the end of the tunnel with more people being hired and the backend changes done. MtGox will hopefully be able to regain your trust in the coming weeks.

The site should be up again shortly. I'm asking him to clear all the standing orders.

Please post any questions you have here and I'll do my best to answer.

i really don't think you can call them 'stolen coins' with a straight face. what's done is done, and it's on your shoulders to fix it, NOT by denying people with legitimate bids their feast.

excellent lets keep the updates rolling in

Thank you [MT and Jed] for the information.

How was the list with accounts stolen? Was this through a SQL injection?

How will resetting of passwords be arranged?

++1

fine with it.

MtGox is doing good job !!

Considering there is a database dump with my mt gox information making its way around the internet, it's obvious your security has been compromised.  I would assume that you're going to do a FULL security and code audit to make sure there aren't further exploits or backdoors placed on your system.  As these audits take awhile, I also assume that you're not going to be back online anytime soon.

Or do I assume wrong?

The rollback is inevitable, and the right thing to do. If it were just a system glitch or a typo, would you still say "what's done is done"? These weren't real trades. Sorry if you don't get to keep 10,000 bitcoins bought at $.10. I'd be pissed too, but there is not an alternative.

Fix'd

I think this post was long overdue.  People have been reporting for over a week now that they've been getting hacked on MtGox, and then this happened.  Every account, every e-mail, every (hashed) password. What's sad is that it's taken this long to post about it.  Lots of people have been reporting this and it seems to fall on deaf ears.   They have a whole thread about MtGox accounts that got hacked, yet no word was said to try and calm users or ease concerns.

Sorry to be so hard on you guys, don't get me wrong I love(d) the service, but you NEED to talk with users and tell them what's going on when they report getting hacked, and that needs to happen ASAP...not a week later. I hope your actions or lack thereof don't affect your business when it re-opens....cause I have/had(not sure, can't login) bitcoins with you guys and was looking forward to the value working it's way back up to 20.

HOPEFULLY people will trust you guys after this.  A come back from this level of hack is hard, but I wish you guys the best.  

My question is:

how is the situation where people withdrew funds in between the massive selloff and the trading freeze going to addressed?

People who withdrew coins will have a rollback + a withdraw?

grumble. i suppose you're right after all.

fuck it. good luck mtgox. :-)

This just goes to show the safest way to protect your coins are put them on usb key and keep them there until they are ready to sell and i would deffently think twice using mtgox for the service do the fact they have taken down access to our accounts and we have to take a 3rd parties advice to settle down and they they are safe btc or funds this is BULLSHIT with how much i have invested I DO NOT LIKE ANYONE keeping me from my investment. so for this day forward I look to start dealing with people direct and use like clearcoin for the transfer of coins that also cuts out the % mtgox takes. I am freaking pissed I cant trust they took enough security measures to protect us in the first freaking place then they should not have opened their online service.

I dont have to worry about banks not letting me have access to my accounts or funds do to a issue they could not have for-sen so for mtgox.com to pull that shit is a power play with OUR money. Im looking into attornys tomorrow to find out their responsibly
and loss of revenues.

this my opinion and the facts.
Tomorrow is a day of reckoning .

> How will resetting of passwords be arranged?

All passwords will be disabled and you will have to reset your password with the email on file. If no email is on file then it will be handled manually.

> How was the list with accounts stolen? Was this through a SQL injection?

We are still investigating.

MyFarm:
Yes the site won't be back online until we are certain there are no other exploits.

hope you will be fine after such disaster. It's a good lesson for you.

That's all nice but the fact remains that thanks to you guys my username, e-mail and password are now out there for anyone to see...

@klamathonsite

whoa buddy, if you were investing in stocks, bonds, or other, you wouldn't be able to get your money out any faster.

I recommend you just chillax a tiny bit before you have a burst vessel in the brain.

> how is the situation where people withdrew funds in between the massive selloff and the trading freeze going to addressed?
Very few coins were withdrawn between selloff and when we took the site down. We will deal with it on a case by case basis.

Hopefully more great entrepreneurs will join bitcoin world, replacing those guys who providing bitcoin service with a one-man company.

Hi. I'm trying to login but it says "No user with email address -heremyemailaddress-". Should I worry?

Coins sold by someone who didn't own them are not stolen? Why? because you got them?

That's very narcissistic, almost psychopathic.

Psychopaths should not benefit from this currency: that's the way the old world worked.

Cool, see you guys in a month or two.  Though you might upset a few people who have thousands of dollars/BTC tied up in your system.

I sure don't envy you at this point.

I count almost 4,000 accounts with blank emails — and mine is one of them. How do you plan on handling them manually? How will you verify that whoever is claiming to be the owner really is the owner?

Thanks.

you're completely right and i already retracted that sentiment in an earlier post in this thread.

even if i do feel a little burned (hey it's natural after a seemingly eye-popping win), i'd rather do what is right for this thing to succeed long-term.

Of course they were stolen! They were in essence stolen from the user whos account was compromised, and then used to cause chaos on the market. Regardless of the fact that they were used within the system and by the account of the user who orignally owned them, they were still plainly stolen by the hacker who then simply dumped all but the little bit he could get away with.

They were absolutely Stolen, and almost all trades since the event are Illegitimate in my eyes anyway.

Thanks for the update, I'm a big fan of your service (the charts are great) and you still have my support.
Any ETA on how long the security fixes will take? Any chance of being up within ~12 hours?

Jed and Tux made a lot for bitcoin community in the past and I hope this accident will force them make double efforts to secure the No1 exchange! I also had some bids on 14.5 but I do not mind against reversing transactions.

What about the people that have complained that their email is wrong based on the leaked DB. Will you roll back the email addresses too? Someone said (on IRC) they had a hash in the DB corresponding to a password that was changed 19 days ago. And several accounts have been reported as compromised before today's events.

Well people, there you have it,

They manned up, took responsibility, are going to make everything right, if necessary on a case by case basis.  

What have we learned?

1) Don't put all your BTC in one basket if you don't want to not have unlimited access to it.
2) This isn't a game, if you cant take the drama, get the fuck out of the kitchen, go back to some safer investment like trading over your margins on the stock market.
3) Don't use easy to un-hash passwords that are the same for every site you use.
4) more control and regulation is needed on the side of the exchanges to limit the price swings much like the real stock market has now

This is definitively the digital gold run of the century.

Welcome to the wild west. :D

And what about the users who had their accounts compromised in the past few weeks or so?

a trade in all conventional currency markets is not 'invalid' merely because it is made with stolen funds. the trades and the theft are two separate issues. people analogizing to the 'flash crash' are doing so without understanding financial markets fully.

s3052, some others, and i have been discussing the proper way to think about this here: https://forum.bitcoin.org/index.php?topic=19593.0

if mt. gox is indeed determined to do what is legally and ethically correct, it seems far too glib to assume that a 'rollback' of transactions is legitimate merely because funds were stolen and then sold. as an analogy, if someone stole us dollars and then bought bitcoins with them, would you be so quick to break the trades? it would seem ridiculous to do so, and i'm afraid it's potentially just as problematic on this side as if the theft happened on the other side. i'm not a lawyer, but i suspect you'll face legal exposure for breaking trades as well, given that you combine the roles both of a broker and an exchange.

in case it matters, i do not have a mt. gox account and would not be directly affected by a rollback. i'm just frustrated with the lack of transparency and have claimed for months that issues with exchanges may prove disastrous for bitcoin's wider adoption.

Many were trolls who lied, IMO.
A password hash does not allow you to login. The mysterious big account might have had a virus/key-logger on his PC.

So now you are acknowledging the situation and providing updates but what about an inclusion of a simple apology/saying "We're Sorry" to your customers, is that too much ?  ???

Big risk in acknowlidging you are wrong. So they won't say they are sorry.

It'd be like saying "Im guilty" in court.

I have had $200 vanish from my account. I have turned my PC upside down, including manual analysis and found no malware of any kind. I had a 20 character alphanumeric mixed case KeePass-generated random password. I was not a victim of the CSRF exploit as I could not reach the Mt. Gox site (thus wasn't logged in) at the moment the funds were stolen. Someone could easily break such a password by using a service like Amazon AWS - and it would actually pay off as you are trying to compromise accounts on a financial service that holds money. Not to mention that miners have hardware that is specifically suited for hashcracking.

Now tell me with a straight face that this was not related to the database leak.

It does if the password was weak and you brute force it.

Actually it does if SQLI attack were possible (which apparently it is at mtgox). All the server want is compare the password hash with the one it had in the db. If you bypass the login box and provide the server with the hash directly thru SQLI attack, the mtgox server would allow you to login.

yeah they got into my email just few minutes ago and then i found new email from mtgox they are still hacking the site.
so DONT TRUST MTGOX they took your info and if you have same mail and same password on Dwolla change it RIGHT NOW OOOH MTGOX!!! Liability i can see if going up higher and higher by the hour.

Associated bank accounts, that how. If you have a mind, use it!

I fear nothing. Say it! I fear nothing !!

You could also just call them and prove that you know roughly what the account history was like. About how much you own and for how long and whatnot. They'll get you figured out, no worries.

If this was the first time difficulties of this kind had appeared with MtGox, I would be inclined to believe it, but arbitrarily freezing accounts or rolling back transactions seems to be the modus operandi for MtGox.

http://forum.bitcoin.org/index.php?topic=3712.680 (http://forum.bitcoin.org/index.php?topic=3712.680) (Essentially MtGox freezes 45000 USD over a dispute of the equivalent of USD 3000(at the time) in BTC. Reason: MtGox wants to investigate. Explanation is promised, but never given (the whole thing took place in Febuary))!

Interesting to note: As soon as the guy complaining threatens legal action, MtGox is sold to MagicTux(different person(?), different jurisdiction!), Complaint in the first days of march, MtGox signed over shortly after ( http://www.whois.net/whois/mtgox.com (http://www.whois.net/whois/mtgox.com) ).

The company named as running MtGox is Tibanne ( http://www.tibanne.com/contact.html (http://www.tibanne.com/contact.html) ), their office location is in a very prime location in Tokyo, incidentally also provided as virtual offices ( http://www.abcn.com/offices-tokyo--f-cerulean-tower-26-1-2443 (http://www.abcn.com/offices-tokyo--f-cerulean-tower-26-1-2443) ).

MagicalTux(a.ka. Mark Karpeles)  himself seems to be working as a server admin for a fairly dodgy news-blog in Tokyo ( http://en.akihabaranews.com/?page=about (http://en.akihabaranews.com/?page=about) )

The only explanation I ever heard from MtGox in reference to any indication has been either FUD or ´trust us´.

My question is, given all that has occured: Why should anyone be stupid enough to do that? Especially given the fact, that this is not the first case of less than transparent behaviour by MtGox.

Maybe I was mistaken, and sorry about your loss of money.
I wish I knew you in the real world, so then I'd know for certain your story is true.

Everyone's bitcoins are safe on the site. We still are holding all the coins safely in reserve. The vast majority of the coins are stored offline so they are impossible to compromise.

if this is what they say about whats happening, i guarantee its the truth.

i've dealt with these guys extensively in the past several months and they've delivered on everything they've promised.  be calm, everything's under control.

Except y'know, providing a secure exchange for BTC while holding 90%+ of the entire BTC market...

...yeah. How cute.

I'm fairly easy to verify as being a real person. Google knows all etc.

they wont let me sign in. Ideas?

Their main site is down. The only thing up is the support site, where your main credentials don't work.

It sounds like you failed to perform due diligence as an investor before sending your money off to a hobbyist-run Japanese web site with no real customer support or institutional accountability.

And now that the counterparty risks that you so blithely ignored have raised their ugly heads, you're throwing a tantrum.

Please, tell us all on Monday how long your attorney laughs at you and your Herpy Derpy "day of reckoning."

60000 password hashes, where 26 of them used the password "password", 11 used the password "abc123", 7 used the password "bitcoin" 3 used the password "secret" and 1 used the password "fuck" - that lets you log in.

I don't have a GPU, and my CPU is slow, but it's still trivial to find (some) passwords given enough hashes.  With a little more effort it's possible to find the combination of weak password and high balance.

This is simple!!

MagicalTux has a vested interest in more users using the site because of the 0.65% transaction fee for every trade.  TradeHill also I think with 0.6% transaction fee.  Thus, it is likely for them to preserve and maintain a reputable acceptance from community at any extent so as to preserve their profitability.

In my opinion, this seems the basis for a kind of corruption of openness and honesty that is paramount within open source mentality/community.  e.g. proprietary (* through obscurity) vs open source.

Also my opinion, I would be more comfortable with supporting (voting with my bitcoins and usage of) a more open exchange (openness in terms of quick and honest responses, to the point, blunt, etc), as opposed to one that delays and spends time on producing more nice sounding message and especially one that is not entirely accurate or believable especially with previous misleading, false, inaccurate or blatantly wrong/lying type of statements/claims.

any way you swing dipshit there is accountability and the fact they are the case to our emails and other financial institutions where compermised  do to their lack of security which leaves them open for liabilities weather they like it or not.
Someone has your email and login and now if its the same as what you used for Dwolla or paypal now your fucked buddy
you will learn troll.

When is MtGox going to pay for, and publish results from, a professional security audit?

If you want to be a real online broker, you need to invest in Wells-Fargo levels of vulnerability analysis.

Start with NTOSpider On-Demand, http://www.ntobjectives.com/ntoondemand, to get an idea of where you stand.

Then you need to hire an experienced consultant to make sure everything is absolutely bulletproof.

I HIGHLY recommend Strategic Data Command of Oakland, CA.  Larry Suto is among the best at what he does.

It might cost you a small fortune, but if you want results you need to call in world-class experts.

I will repost this same bit of advice to our Tradehill rep. as well.

Emailed issued few minutes ago from the mt.gox

Dear Sir or Madam,


A few hours ago the Bitcoin trading website Mt Gox has been hacked. Malicious individuals have been able to obtain a database containing usernames, email address and encrypted passwords. This information has been posted publicly on the internet.

As a Bitcoin supporter I'm now sending a message to every email address contained in the hacked database. This is to warn you that your username, email address and password have been leaked. I therefore strongly advice you to change your passwords. If you have used the same password on different websites it's highly recommended to change your password on all of your accounts!

For a more secure alternative to Mt Gox, the community appears to be moving to TradeHill. So this is no reason to lose faith in Bitcoin itself. It must be seen as a warning that not every website can be trusted with your data however! Their link is http://www.tradehill.com/?r=TH-R15683 (Note: You can remove the Referral Code when registering if you want!) This is certainly not the only website where you can exchange Bitcoins, also check out http://www.thebitcoinlist.com/dp_bitcoin/bitcoin-exchange/


Sincerely,

A Bitcoin supporter
1CWSjov2N7ix41bZ8bJfHXkdLLbkUsG9Y7

Read the news, the news that is everywhere right now.
Read their front page, which explains it.

Lol at a guy who is in LulzSec complaining on here about losing $200.

To be honest I think you have bigger things to worry about than losing $200 Sven. You losing your money has given me much Lulz! I suppose you must approve of that! There will also be much Lulz when you are arrested by your local police force. :)

http://lulzsecexposed.blogspot.com/2011/06/joepie-doxed.html

A few days before their entire user database was publicly published, someone was trying to flog it for sale. MagicalTux insisted that it was a lie, that there was no way it could've been leaked. We know how well they delivered on that promise.

got an alert from google, someone's been trying to log into my gmail acct.  That is on the MT.Gox database.

My gmail pass was different, and I have changed it.

this is a reminder to me to go around to all the sites and change the pw.

Yes, because everything you read on the internet is absolutely and completely true. Do some research before you claim things. I am not a part of Lulzsec, and I'm not involved in what they do. If you had actually read a bit *more* than just one single blog, you would have found that the supposed "Lulzsec channel" was not actually a Lulzsec channel, and that the dox and/or information on that site are grossly inaccurate (Barrett Brown a part of Lulzsec? REALLY?)

Get a clue before you shout.

Also come chat in #bitcoin-onlyonetv on Freenode IRC network.  If you don't have an IRC client, visit http://webchat.freenode.net

I've read more than that blog, and I realise the logs weren't from the LulzSec channel. However, the logs show you assisting them, no matter what channel it's from. The dox on there might be bullshit (other than yours) but the logs are genuine, regardless of the channel. You might not be in the main crew, but you're in deep with those fucks.

You're a disgusting little cunt and I'm glad you've got even a tiny portion of what's coming for you. Your buddy Sabu hit the FBI. Do you know what that means? He's going to get caught. As soon as they catch him, the American's are going to try and extradite you under RICO laws. You've been seen on IRC handling their money and the Blockchain will confirm this. Under RICO legislation, that's enough to make you complicit.

You better hope and pray that the Dutch government doesn't roll over and extradite you. Either way you've got a tough autumn and winter coming up. You've bitten off more than you can chew here, son. I'd be very, very scared if I was you.

Same thing happened to me. I had a different PW from the PW that was on my MtGox site but I got that notification from Gmail. Maybe that was a notifications that people were trying to brute force it or test it against the ones they'd cracked in that list or something? This is just a total guess but I definitely had the same situ that you had.

It's now approximately 20 minutes until Mt. Gox is supposed to resume service. Will this happen in time, or will it be delayed further?

According to what I read in #bitcoin-dev, someone from the community who's working at Google got hold of the dump and flagged all the gmail addresses he could find as possibly compromised for safety reasons. So while this is probably nothing to worry about if you didn't use your Mt. Gox password anywhere else, you should immediately change it if you did.

Assuming, assuming, and more assuming. It would be nice if you kept assumptions, personal attacks, insults, and fearmongering (oh, how original) off these threads, and actually focus on doing something constructive.

Bravo to gmail if that is the case.  Luckily I use different passwords for everything important and several different ones for things unimportant.  However, I was still greeted with a 'change your password due to suspicious activity' when logging into gmail.

I know people are mad they won't get to keep the 10k bitcoins they bought at 10c a piece, but you have to keep in mind you bought STOLEN bitcoins.  They aren't your's anyway, they were owned by who ever the schmo was with 500k bitcoinns.  He is the one who lost in all of this technically, if anyone withdrew bitcoins after buying them that guy was the one losing them.  We should be happy that mtgox is willing to roll everything back and take a hit on the bitcoins that were stolen.

+1

there is almost no case in the 'real world' where someone who unknowingly obtains 'stolen' currency in a trade is forced to repay it.

this is true even in legal jurisdictions where unknowingly receiving stolen goods can sustain an action by the original owner to recover the goods.

would a 'rollback' even be considered here if the amount were 500 btc rather than something that had a noticeable effect on the market? or if someone stole us dollars and used them to purchase bitcoins? reversing trades will, in practice, simply help mt. gox selfishly (and the handful of accounts affected by either the owner's negligence or mt. gox's). perhaps breaking trades is meant, in a misguided way, to try to shore up the exchange rate of bitcoins, but that won't work, and it's not a typical or easily justifiable response to currency theft. based on what is being reported, the exchange worked perfectly; mt. gox failed as a broker or a fiduciary holder of accounts, not as an exchange. if the two entities (the broker side and the exchange side) were separate, breaking trades wouldn't even be a possibility.

+1

I got that like 10 times.

Spammer that everyone is talking about since the Mt. Gox fail

He even got bitcoins for that: http://blockexplorer.com/address/1CWSjov2N7ix41bZ8bJfHXkdLLbkUsG9Y7  :-\

If they got into your mail that mean you violated the #1 rule of online security by using the same password on multiple sites. You should REALLY examine your own security policies before telling everyone how much of a liability Mt Gox is.

What use is an audit performed by unnamed entities?

I have no problem with the rollback.  Mt.Gox can't reasonably do anything else.

To those who moan about that, here's a question: if your trade was so brilliant, you can post it again and someone will accept it again, yes?  No, of course they won't.  No one would willingly have sold you 10,000 BTC for a penny.  The fact that you are moaning means that you know it wasn't a willing trade (and all free markets should be based on trades where both parties walk away happy).  Trading with someone who didn't want to trade is not a market, it's a robbery.

I'm posting though with reference to the original poster's message: questions.

• When the site is restored will bids/asks that were pending before the hack be recreated?  That seems wrong to me.  The orderbook should be set to blank and we can all work from where we are now, rather than scrambling to undo what was.  Traders can easily add back whatever orders they think appropriate.
• When the site is restored will trading be restored instantly?  I think that that would be unwise.  First start the site up.  Give us all time to log in, check our balances and transfer in and out anything we might wish.  Then unsuspend trading.  A day of suspended market would probably be enough.  It would also give people time to enter their bids and asks without anything happening at first.  A new equilibrium would sit ready for when the market goes live again.
• I happen not to have an email set for my account on Mt.Gox; but I do have a secure password.  There have been conflicting reports: are all accounts going to be disabled or just accounts with insecure passwords?  What will be the procedure for those of us in this position to regain access to our accounts?  Will this be done in a timely manner, or will we have to watch in despair as the market moves and we have no access?
• Someone should be working now on a disaster recovery plan.  You should publish that on the Mt.Gox site.  We should all already have known what would happen when something like this happens.  Suspension, shutdown, rollback, restart.  Information avoids panic.

@jed / MagicalTux

could you please give an official statement on how you will deal with accounts that do not have an email address?

your support (https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback) site says:

i didn't sign up with an email address, will my coins be forever alone in your wallet? :-/

LeFBI: No just email support once the site comes back online. They will walk you through how to recover your password.

Could you please prove this by signing this message with the private keys from the wallets in question, in order to shut up the conspiracists?

Ok so I still can't log into Mt. Gox. Is there something I missed in all this clutter? ??

What about actually reading the text on http://www.mtgox.com (http://www.mtgox.com)?

mtgoxlive.com seems to be back online.

I am not able to login to my account?  Yes I have read what is on there page. Thanks that was really helpful .

S'pose it's a bit early yet, for Obama to come out and announce the MtGox bailout.  :-\

I saw my login name and email address on a text file distributed on the internet, information I gave in confidence, there is little coming back from that.

OK, That one made my day. Thank you  :D