Hi,

For all those willing to sue Mt.Gox because we will be making trades void, please remember that criminality usually falls under "force majeure" by its externality (not like we would have ever wanted that), unpredictability and irresistibility (we resisted most hack attempts, this one was "strong" enough to go through).


In this very specific case, any "trade contract" (if you see that as such) is void due to force majeure. Subsequent trades directly or indirectly resulting from the hacking fall under the same rule.


Now don't be so selfish and stop trying to claim benefits you generated from nothing by abusing an extraordinary situation. I appreciate all the attention and all the mail about lawsuits, threats and more, but I'd prefer being working on "Stuff that Matters®".

We already have criminal proceedings in process against whoever did the hack.

I posted all the logins on Kevin's and the hacked account for May 19th.

I sure hope too, will make it easier for us.

He logged in 3 minutes before the whole thing unfold.

And placed a buy order at 0.01 USD per btc.

If you think installing new securities and recoding everything can be done instantly. Mt.Gox had a growth far too fast to give us enough time for this, and we did our best to fix every found problem.

In the end however the accounts were leaked because of something completely different...

Hi,

Since lots of people have been posting on http://forum.bitcoin.org/index.php?topic=20207.0 let me give you some infos too. The cat is out, so let's just as well put as much infos as I can. Kevin asked publicly me to reply, so here is my reply response.

Kevin has no buy order as of the day preceding the attack. Now, he bought 258k bitcoins at 0.01 USD per bitcoin (0.0101 if you include our 0.65% fee).

Let me show you the login logs for our hacker guy on his account full of bitcoins, and Kevin:


Kevin had only one chance that day to place his 0.01 buy order. So either he had a lot of luck, and somehow knew it was the right time to place a 0.01 buy order, or something smells fishy in there. It's not up to me to decide, but I will report this as it has become a public matter.

Therefore I choose option 4:

Option 4: Mt Gox signals this to the competent authorities
+ We are safe
+ We may even have a chance of catching our hacker if Kevin knows him
+ We can rollback without having to worry
- Having to deal with FBI, provide logs and proof

No, they logged in on users account using the correct login and password. We have logs showing the loggin succeed on first try.

The coins stolen from Mt.Gox were not stolen using any CSRF exploit.

Ok so:

#1407: Confirmed hacked on june 16th, investigation in progress
#1836: Investigation in progress, no lost coins
#1862: Investigation in progress, no lost coins

As I already replied you, your funds were stolen by someone logging in onto your account with your password. Your funds are right now on a bitcoin address and have not moved since then.

As a reminder we assume no responsibility should your funds be stolen by someone using your own password.

Password are encrypted one way (+salt). Someone cannot be selling "user + pass" unless he has some way to revert this.

In one expression: FUD

Every 15 minutes in fact, see https://support.mtgox.com/entries/20195371-dwolla-transactions-handled-within-15min

There was indeed a CSRF vulnerability in the "change email" and "send funds" features, however we verified the logs of the webserver and could confirm neither were ever exploited, except by the people who discovered it.

Both are now fixed.

Ok, we've been seeing a "lot" of cases recently.

So far I have 10 known cases of people whose coins were stolen (someone logged in on the account using their password, traded USD for BTC, withdrew all the BTC). Considering we have now over 60000 accounts (2 months ago we had 10 times less), this seems to be a problem coming mainly from users.

Problem is many have been posting in various places (forums, reddit, twitter, irc, etc) causing a lot of fear among users when the problem is still fairly limited.

Trust me, if we had a problem in Mt.Gox and it was actively exploited, we'd have way more than a dozen compromised accounts.

By the way we are working on adding an extra feature: a withdraw password. If you define one (on the settings screen) you will have to enter this password too. Should be available by monday.



Now, we cannot recover the funds, however we can try to track those and locate to which account they were sent. I guess that if your account was compromised you first sent an email to info@mtgox.com asking for your account to be blocked until investigation, providing as much information as you can as for the problem.

Please post here your ticket number that was assigned to you when you created this if you want priority handling. Please read the following FAQ before.


FAQ

My history disappears along all my coins and monies

You have not logged in with your usual login. Please make sure you are using the right account.

My coins were traded for USD, or my USD were traded for coins, I never entered any order

You had an open order that couldn't be filled because you didn't have enough funds. When you added funds (or coins) your order could be filled, and was filled.

If you fail at entering your password more than 10 times, your IP is blocked. Even using proxies you'd probably run out of proxies before running a basic dictionary.

I believe this makes this kind of attacks non practical.

(as for hashing, we use standard unix md5+salt, will switch to $2a$ or $5$ eventually)

Hi,

Please mail your dwolla account id and the message to info@mtgox.com and we'll look into it.


Mark

That is we intend to do.

I do not want however to see US politicians go all over the place claiming incorrect things about Bitcoin, just because they are ignorant. They will cause global misinformation as whatever they say is echoed broadly.

We will comply to court orders valid under our jurisdiction after our lawyers confirm there is no other recourse available.

June 16th, 2011 - Tokyo (JP)

MT.GOX RESPONDS TO REUTERS “WE WANT BITCOIN TO BE UNDERSTOOD” ARTICLE

Last week Brett Wolf sent us an email hoping we would respond to some of the recent controversies surrounding the Silk Road website. At the time we were unable to respond (they are subject to email response delays, just like everyone else), but after seeing his article about it and reading the mention that “Mt.Gox could not be contacted” we decided to reach out. Like any good reporter, he poked and prodded us a bit about our stance on Silk Road and we advised we have no opinion on the matter, but cummunicated that we did send a letter to the DEA to assert our position in the bitcoin economy, and to shed some light on bitcoin itself to try and put to rest any misconceptions.

We believe this initial contact with the DEA is of the utmost importance for the immediate future of bitcoin. The letter ended by saying that we will comply with any court sanctioned investigations and that they are invited to contact us to better understand not only what we do but what bitcoin is. We don’t really think this should be shocking to the bitcoin community as we will be legally obligated to regardless. Also, I think it is safe to say that we do not intend to enable illegal activities or have blood on our hands by association, so to speak.


A realization must be made, and that is due to nature of exchanges we are forced to deal with banks and therefor need to stay within the boundaries the regulatory bodies have set. What we intend to do in the future is to stifle and hopefully stop those boarders from closing in on us. We are not here to flip the economic system on it’s head, nor do we believe it is necessary for that to happen in order for bitcoin to be a player in world markets. We have to exist and exercise our right to do business from within the confines of the system.

Going forward, we are going to be walking a very thin line with how to proceed with promoting and backing bitcoin. It will not do Mt.Gox or the bitcoin community any good if we are not willing to comply with the laws we are subject to and are consequently shut down. In fact, doing so would only work to taint bitcoins public image and negate any public recourse we might otherwise garner (the media is llouder than the bitcoin community, unfortunately). That being said, bitcoin will be successful in it’s own way and is not intrinsically tied to the future of Mt.Gox. Likely as time goes on bitcoin will become less and less reliant on our exchange, which in many ways is a good thing as it diversifies the communities portfolio, so to speak and would result in less heat being put on us too. However, the reality is that with Mt.Gox being the current mainstay in the bitcoin economy the immediate future of bitcoin is heavily reliant on the public and political perceptions of what we do, and how we do it. So we will continue to keep an open door policy with any and all agencies and governments so long as they are willing to understand bitcoin and work within the law.

We understand many people in the community won’t agree, and will look at our exchange (and others) as needing to have a mutually exclusive relationship with bitcoin. We see that on an ideological front, this is likely true, however to have bitcoin take on critical mass we believe exchanges are very necessary entities and are likely the only way politicians, banks and governments will let bitcoin continue on to legitimacy.

We invite the community to vet our position intelligently on the public forums, and we will chime in from time to time.

-The Mt.Gox Team

Download as PDF