Bitcoin Forum
November 20, 2017, 01:09:48 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: My MtGox account was just exploited - 3 BTC stolen [old news]  (Read 3354 times)
gadsdengraphics
Member
**
Offline Offline

Activity: 88


View Profile
February 07, 2013, 06:00:58 PM
 #1

Yeah, I know. 3 BTC.

Still, I was wondering - is there a new vulnerability out there I don't know about?

I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.

My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year.  That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.

I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.

Update - response from MtGox:

Quote
Hello,

Sorry for the inconvenience.Please change your email address password and Mt.Gox password immediately. Please do not use the same username and password on different services. You can use the Yubikey or Software Authentication on our Security Center to further secure your accounts.

Please file a police report in order for the police to investigate the case and make an effort to retrieve your funds and once filing a police report, please send a copy of the police report and the official ID document to Mt.Gox. We will cooperate with the police authority in providing the necessary information for the investigation, but we are unable to reimburse any stolen funds.

Thanks,

MtGox.com Team
1511140188
Hero Member
*
Offline Offline

Posts: 1511140188

View Profile Personal Message (Offline)

Ignore
1511140188
Reply with quote  #2

1511140188
Report to moderator
1511140188
Hero Member
*
Offline Offline

Posts: 1511140188

View Profile Personal Message (Offline)

Ignore
1511140188
Reply with quote  #2

1511140188
Report to moderator
1511140188
Hero Member
*
Offline Offline

Posts: 1511140188

View Profile Personal Message (Offline)

Ignore
1511140188
Reply with quote  #2

1511140188
Report to moderator
Join ICO Now A blockchain platform for effective freelancing
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511140188
Hero Member
*
Offline Offline

Posts: 1511140188

View Profile Personal Message (Offline)

Ignore
1511140188
Reply with quote  #2

1511140188
Report to moderator
1511140188
Hero Member
*
Offline Offline

Posts: 1511140188

View Profile Personal Message (Offline)

Ignore
1511140188
Reply with quote  #2

1511140188
Report to moderator
SgtSpike
Legendary
*
Offline Offline

Activity: 1358



View Profile
February 07, 2013, 06:04:24 PM
 #2

Yeah, I know. 3 BTC.

Still, I was wondering - is there a new vulnerability out there I don't know about?

I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.

My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year.  That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.

I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.
Interested as well...

You're saying that your woefully weak password had been changed for more than a year?  How strong is the new one, and when exactly did you change to the new one?
gadsdengraphics
Member
**
Offline Offline

Activity: 88


View Profile
February 07, 2013, 06:05:01 PM
 #3

Some information to add:

The IP of the attacker was 37.190.151.69, which geolocated to Wroclaw, Poland. The destination address was 17GgxBiXVVTg7RFSGz2kEf3jLBhConxmQJ, where it sits right now with 6 confirmations.
gadsdengraphics
Member
**
Offline Offline

Activity: 88


View Profile
February 07, 2013, 06:06:51 PM
 #4

Yeah, I know. 3 BTC.

Still, I was wondering - is there a new vulnerability out there I don't know about?

I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.

My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year.  That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.

I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.
Interested as well...

You're saying that your woefully weak password had been changed for more than a year?  How strong is the new one, and when exactly did you change to the new one?

No, my password was changed a week or two after the break-in, whenever that was. I'm not a very active user of Bitcoin, and certainly not of MtGox. Apparently, I decided to use a very weak password then, probably for expediency, since I knew of the hack and changed it just in case I forgot later.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
February 07, 2013, 06:08:08 PM
 #5

I am assuming no 2FA enabled?

With password compromise usually it is
a) phishing attack
b) password re-use on another compromised site
c) keylogging


I am sure you realize it in hindsight but a 20 char lastpass passwords protecting a 6 char account password doesn't enhance security. Still I doubt you were brute forced as the account probably would be locked. 
kokojie
Legendary
*
Offline Offline

Activity: 1694



View Profile
February 07, 2013, 06:08:16 PM
 #6

put 2 factor authentication on withdrawals, then you'll never lose anything in your mtgox account again.

btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
Spaceman_Spiff
Legendary
*
Offline Offline

Activity: 1638


₪``Campaign Manager´´₪


View Profile
February 07, 2013, 06:08:36 PM
 #7

Not much use to you now, but you might want to use a Yubikey on gox in the future.
They offered me 1 for free, don't know if that offer still stands or if you have to pay for it nowadays.
gadsdengraphics
Member
**
Offline Offline

Activity: 88


View Profile
February 07, 2013, 06:10:18 PM
 #8

I am assuming no 2FA enabled?

With password compromise usually it is
a) phishing attack
b) password re-use on another compromised site



No 2FA. I don't believe the password was re-used, but it's possible. I only got serious about security a year or so ago, after my initial involvement with Bitcoin and the security/cryptography fields that it led me to.

My account ID is my actual first and last name.

I'm confident I wasn't phished.
SgtSpike
Legendary
*
Offline Offline

Activity: 1358



View Profile
February 07, 2013, 06:10:52 PM
 #9

Yeah, I know. 3 BTC.

Still, I was wondering - is there a new vulnerability out there I don't know about?

I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.

My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year.  That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.

I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.
Interested as well...

You're saying that your woefully weak password had been changed for more than a year?  How strong is the new one, and when exactly did you change to the new one?

No, my password was changed a week or two after the break-in, whenever that was. I'm not a very active user of Bitcoin, and certainly not of MtGox. Apparently, I decided to use a very weak password then, probably for expediency, since I knew of the hack and changed it just in case I forgot later.
Interesting...

I'd put money on the weak password being "guessed", but I am not sure how much MtGox does to stop guessers.  Still, someone with a large botnet could have them all trying various combinations of passwords with various usernames derived from that MtGox hack list until they find one that works.  That'd get around any IP-based bruteforce detection.  English word + two digits is probably fairly high on the list of "to try" combinations for dictionary attacks.
niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile
February 07, 2013, 06:11:37 PM
 #10

Could you clarify the order of events:

You registered with mtgox with a weak pw
The "big" mtgox hack happened, user info leaked, some passwords cracked and phished
You changed your pw to a strong one
Your account gets hacked and 3 btc stolen

Right?

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
gadsdengraphics
Member
**
Offline Offline

Activity: 88


View Profile
February 07, 2013, 06:12:01 PM
 #11

put 2 factor authentication on withdrawals, then you'll never lose anything in your mtgox account again.

Yep.

I'm digging in their interface now, it looks like they offer software auth. If that will work with Google Authenticator, I'll probably use that.

Another thing they could do (they may, I don't know) is offer an option where withdrawals may only be made to addresses from which deposits have been made.
moni3z
Hero Member
*****
Offline Offline

Activity: 887



View Profile
February 07, 2013, 06:12:29 PM
 #12

Unless you used the same password somewhere else it was most likely the Android tablet.
That's why we need this: http://www.indiegogo.com/projects/freedroid
gadsdengraphics
Member
**
Offline Offline

Activity: 88


View Profile
February 07, 2013, 06:18:59 PM
 #13

Yeah, I know. 3 BTC.

Still, I was wondering - is there a new vulnerability out there I don't know about?

I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.

My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year.  That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.

I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.
Interested as well...

You're saying that your woefully weak password had been changed for more than a year?  How strong is the new one, and when exactly did you change to the new one?

No, my password was changed a week or two after the break-in, whenever that was. I'm not a very active user of Bitcoin, and certainly not of MtGox. Apparently, I decided to use a very weak password then, probably for expediency, since I knew of the hack and changed it just in case I forgot later.
Interesting...

I'd put money on the weak password being "guessed", but I am not sure how much MtGox does to stop guessers.  Still, someone with a large botnet could have them all trying various combinations of passwords with various usernames derived from that MtGox hack list until they find one that works.  That'd get around any IP-based bruteforce detection.  English word + two digits is probably fairly high on the list of "to try" combinations for dictionary attacks.
Even with the information I've given here, there are still somewhere between 900k and 2m permutations for that password. IP-based locks are one thing - but if an account had attempted to log in tens of thousands of times, you'd think they'd lock the account.

No, the person who did this almost certainly knew my password, either through obtaining a hash and applying a rainbow table to it, through some sort of keylogger, intercepting it on the wire, or through having access to it on another site. I don't *think* the last one is the case.

A MitM seems quite complex for this. I'm thinking the most likely scenario at this point is a either a vulnerability in MtGox's site, or someone at my workplace with access to their corporate "Big Brother" crap.

If no one else is complaining, I'm leaning heavily toward the latter - which is not to discount my own culpability, even a little. At the time I set that password, I was a fairly technical user but somewhat naive security-wise. That's by far the most likely, that they've had my password for months and have waited to use it.

Odd they chose now - I've been playing the market for a few weeks, starting with 1 BTC and working my way up to the 3 that was lost. They must not be checking often.

I hope I get ahold of account login logs Smiley That would give me something to chew on.
gadsdengraphics
Member
**
Offline Offline

Activity: 88


View Profile
February 07, 2013, 06:21:29 PM
 #14

Could you clarify the order of events:

You registered with mtgox with a weak pw
The "big" mtgox hack happened, user info leaked, some passwords cracked and phished
You changed your pw to a strong one
Your account gets hacked and 3 btc stolen

Right?

Not quite.

I registered with MtGox, just prior to the first bubble.
The MtGox hack happened.
I changed my password, to <4-letter word><2-digit year>.
Many months passed
Unauthorized withdrawal occurred
I changed to a real password
gadsdengraphics
Member
**
Offline Offline

Activity: 88


View Profile
February 07, 2013, 06:25:52 PM
 #15

Unless you used the same password somewhere else it was most likely the Android tablet.
That's why we need this: http://www.indiegogo.com/projects/freedroid

I think we'll see if that were the case.

My tablet is a Samsung Galaxy Tab 2, running a Cyanogenmod 10.1 nightly. I have BitcoinSpinner on there that housed my "just in case" coins - in other words, it was equivalent to my checking account, with around 50 coins most of the time.

I've left 3.xxxx coins on the device, at that address, to see if they're taken as well. If they are, then I can safely assume that is the vector.

I also left 3.xxxx coins in a Blockchain.info wallet, which I created on my work PC and stored the login credentials in a word document marked "Bitcoin Info" on my desktop.

If neither of those disappear, I really don't think my devices are the origin.

ETA: If both disappear, I guess I'll start suspecting my wife or my 4-year-old little girl Smiley
gadsdengraphics
Member
**
Offline Offline

Activity: 88


View Profile
February 07, 2013, 06:46:26 PM
 #16

Update in OP.
Nagato
Full Member
***
Offline Offline

Activity: 150



View Profile WWW
February 08, 2013, 04:03:26 AM
 #17

I doubt it is "Big Brother" access at your workplace. MtGox uses SSL throughout, it is close to impossible for anyone to see any data sent between you and mtGox.

gadsdengraphics
Member
**
Offline Offline

Activity: 88


View Profile
March 28, 2013, 04:11:56 PM
 #18

I doubt it is "Big Brother" access at your workplace. MtGox uses SSL throughout, it is close to impossible for anyone to see any data sent between you and mtGox.

(Sorry to necro the thread, but I just saw this reply)

I don't think it was my employer either, but it's possible.

SSL puts the barrier high for intercepting the conversation in transit, but it's possible it could be MitM'd. Much more likely is that a combination of screen captures and keylogger would give it away. But, like I said - I don't see this as likely in my environment.
Tomatocage
Legendary
*
Offline Offline

Activity: 1526

brb keeping up with the Kardashians


View Profile
March 28, 2013, 08:55:09 PM
 #19

Yes to the "does it work with Google Authenticator" question. That's what I use for 2FA for Gox.

THIS SPOT FOR RENT* | GPG ID: 4880D85C | 1% Escrow | 8% IPO/ICO Escrow services Temporarily Closed | Bitcointalk is the ONLY place where I use this name (No Skype/IRC/YIM/AIM/etc) | 13CsmTqGNwvFXb7tD9yFvJcEYCDTB8wQTS | Beware of these SCAM sites! | *Sponsored Link
420
Hero Member
*****
Offline Offline

Activity: 756



View Profile
March 28, 2013, 08:59:18 PM
 #20

I am assuming no 2FA enabled?

With password compromise usually it is
a) phishing attack
b) password re-use on another compromised site
c) keylogging


I am sure you realize it in hindsight but a 20 char lastpass passwords protecting a 6 char account password doesn't enhance security. Still I doubt you were brute forced as the account probably would be locked. 

how often is keylogging done and how can we tell
especially for windows 7

Donations: 1JVhKjUKSjBd7fPXQJsBs5P3Yphk38AqPr - TIPS
the hacks, the hacks, secure your bits!
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!