|
Title: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: romsek on June 20, 2011, 02:15:34 AM Quote [Update - 2:06 GMT] What we know and what is being done.
We will continue to update as we find new information. Source: https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: DanielC on June 20, 2011, 02:19:09 AM I guess that makes me feel somewhat better...
Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: Oldminer on June 20, 2011, 02:19:40 AM lol it will be fun trying to verify my IP seeing as my VPN gives me a new one everytime I connect to the net..hope its not this hard...
Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: Astro on June 20, 2011, 02:22:39 AM Stop hiring the worst security auditors in the world.
Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: Chick on June 20, 2011, 02:28:18 AM Stop hiring the worst security auditors in the world. They just said it was a "financial auditor". WTF? IKR? Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: dust on June 20, 2011, 02:30:08 AM 100-200 BTC + ~1000 USD stolen. Doesn't seem too bad...
Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: BCEmporium on June 20, 2011, 02:31:33 AM Quote It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. Someone needs to audits the one who audits... ::) Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: Epinnoia on June 20, 2011, 02:32:20 AM If the auditor was attacked by a hacker, how was it that the hacker knew that the auditor's machine was even bitcoin-related? Something here doesn't pass the sniff test.
This screams 'inside job'. Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: BCEmporium on June 20, 2011, 02:35:03 AM For me it was Kevin Mitnick disguised as janitor...
Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: aral on June 20, 2011, 02:37:32 AM Yeah, right. The only crackable stuff they got were some idle accounts yet they managed to drive the price to 0.01$ and steal a bucketload of BTC.
And... you used unsalted md5? Really? Oh but that was two months ago so it's ok? :-\ Fuck me. Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: Insuremeplz on June 20, 2011, 02:42:21 AM 100-200 BTC + ~1000 USD stolen. Doesn't seem too bad... I don't believe this, unfortunately :( Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: DonnyCMU on June 20, 2011, 02:49:59 AM 100-200 BTC + ~1000 USD stolen. Doesn't seem too bad... So.... could they, or someone, explain about the 200,000 -400,000 Bitcoins that was sold off, and drove the price down to 1 cent??? Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: tehcodez on June 20, 2011, 02:52:38 AM I think he mentioned that
Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: haydent on June 20, 2011, 02:53:37 AM is there a way to find out your trade number ? maybe from trade notification email or something ?
Quote Once Mt.Gox is back online, trades 218869~222470 will be reverted. Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: Epinnoia on June 20, 2011, 03:06:22 AM The excuse given was to blame the auditor. And for privacy reasons, they won't name the auditor.
This doesn't make any sense at all. What use is an audit performed by unnamed entities? It's the credentials of the auditor which give credence to the audit they perform, is it not? Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: semarjt on June 20, 2011, 03:18:24 AM The excuse given was to blame the auditor. And for privacy reasons, they won't name the auditor. This doesn't make any sense at all. What use is an audit performed by unnamed entities? It's the credentials of the auditor which give credence to the audit they perform, is it not? What use is it for an auditor to have password hashes? Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: tiberiandusk on June 20, 2011, 03:20:03 AM 100-200 BTC + ~1000 USD stolen. Doesn't seem too bad... So.... could they, or someone, explain about the 200,000 -400,000 Bitcoins that was sold off, and drove the price down to 1 cent??? As far as I have gathered those transactions were internal to Mt. Gox and were never paid out. They weren't actual bitcoin transactions. Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: bitcoinminer on June 20, 2011, 03:20:58 AM May not have been an SQL injection, but it was sure as hell a Hot Beef Injection!!!
Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am Post by: NO_SLAVE on June 20, 2011, 03:22:13 AM is there a way to find out your trade number ? maybe from trade notification email or something ? Quote Once Mt.Gox is back online, trades 218869~222470 will be reverted. yes THIS ^^^ is there a database of trades and numbers? Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: Astro on June 20, 2011, 03:22:24 AM May not have been an SQL injection, but it was sure as hell a Hot Beef Injection!!! zing Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: sang on June 20, 2011, 03:24:48 AM 100-200 BTC + ~1000 USD stolen. Doesn't seem too bad... So.... could they, or someone, explain about the 200,000 -400,000 Bitcoins that was sold off, and drove the price down to 1 cent??? As far as I have gathered those transactions were internal to Mt. Gox and were never paid out. They weren't actual bitcoin transactions. Not true. I had a buy order in around $12/btc that triggered on the way down and I was able to withdraw my BTC before the site shut down. I'd like to know how they plan to roll THAT back. Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: Oldminer on June 20, 2011, 03:32:37 AM May not have been an SQL injection, but it was sure as hell a Hot Beef Injection!!! Ewwwwww! ;D Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: bitcoinminer on June 20, 2011, 03:34:02 AM Not true. I had a buy order in around $12/btc that triggered on the way down and I was able to withdraw my BTC before the site shut down. I'd like to know how they plan to roll THAT back. Nice! Stolen coin bonus! Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: kjj on June 20, 2011, 03:41:29 AM The excuse given was to blame the auditor. And for privacy reasons, they won't name the auditor. This doesn't make any sense at all. What use is an audit performed by unnamed entities? It's the credentials of the auditor which give credence to the audit they perform, is it not? What use is it for an auditor to have password hashes? No use whatsoever. However, they are easy to overlook if someone asks you to make a quick dump of the database to give to the auditors. Bet they'll have a formal policy and procedure in place before the next audit... Title: Re: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT Post by: dana.powers on June 20, 2011, 03:42:07 AM Quote Not true. I had a buy order in around $12/btc that triggered on the way down and I was able to withdraw my BTC before the site shut down. I'd like to know how they plan to roll THAT back. The way they'll have to deal with this is not roll back the buy-side of a transaction if it was withdrawn. Roll back the sell-side and cover the difference. I.e., if market price is 17 and you bought at 12, MTGOX will have to refund the BTC to the rolled-back seller from the MtGox stash or, if stash is too small, add $5 per BTC to your $12 per and buy them back on the open market then refund to seller. No doubt some buyers withdrew, but if it isn't a huge percentage then MtGox should be fine to cover the loss from the fees its collected so far. But we'll see what actually happens... |