My MtGox account was just exploited - 3 BTC stolen [old news]

[gadsdengraphics]

Yeah, I know. 3 BTC.

Still, I was wondering - is there a new vulnerability out there I don't know about?

I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.

My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year.  That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.

I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.

Update - response from MtGox:

Hello,

Sorry for the inconvenience.Please change your email address password and Mt.Gox password immediately. Please do not use the same username and password on different services. You can use the Yubikey or Software Authentication on our Security Center to further secure your accounts.

Please file a police report in order for the police to investigate the case and make an effort to retrieve your funds and once filing a police report, please send a copy of the police report and the official ID document to Mt.Gox. We will cooperate with the police authority in providing the necessary information for the investigation, but we are unable to reimburse any stolen funds.

Thanks,

MtGox.com Team

[1713438421]

1713438421

[1713438421]

1713438421

[1713438421]

1713438421

[1713438421]

1713438421

[1713438421]

1713438421

[SgtSpike]

Yeah, I know. 3 BTC.

Still, I was wondering - is there a new vulnerability out there I don't know about?

I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.

My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year.  That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.

I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.

Interested as well...

You're saying that your woefully weak password had been changed for more than a year?  How strong is the new one, and when exactly did you change to the new one?

[gadsdengraphics]

Some information to add:

The IP of the attacker was 37.190.151.69, which geolocated to Wroclaw, Poland. The destination address was 17GgxBiXVVTg7RFSGz2kEf3jLBhConxmQJ, where it sits right now with 6 confirmations.

[gadsdengraphics]

Yeah, I know. 3 BTC.

Still, I was wondering - is there a new vulnerability out there I don't know about?

I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.

My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year.  That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.

I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.

Interested as well...

You're saying that your woefully weak password had been changed for more than a year?  How strong is the new one, and when exactly did you change to the new one?

No, my password was changed a week or two after the break-in, whenever that was. I'm not a very active user of Bitcoin, and certainly not of MtGox. Apparently, I decided to use a very weak password then, probably for expediency, since I knew of the hack and changed it just in case I forgot later.

[DeathAndTaxes]

I am assuming no 2FA enabled?

With password compromise usually it is
a) phishing attack
b) password re-use on another compromised site
c) keylogging


I am sure you realize it in hindsight but a 20 char lastpass passwords protecting a 6 char account password doesn't enhance security. Still I doubt you were brute forced as the account probably would be locked. 

[kokojie]

put 2 factor authentication on withdrawals, then you'll never lose anything in your mtgox account again.

[Spaceman_Spiff]

Not much use to you now, but you might want to use a Yubikey on gox in the future.
They offered me 1 for free, don't know if that offer still stands or if you have to pay for it nowadays.

[gadsdengraphics]

I am assuming no 2FA enabled?

With password compromise usually it is
a) phishing attack
b) password re-use on another compromised site

No 2FA. I don't believe the password was re-used, but it's possible. I only got serious about security a year or so ago, after my initial involvement with Bitcoin and the security/cryptography fields that it led me to.

My account ID is my actual first and last name.

I'm confident I wasn't phished.

[SgtSpike]

Yeah, I know. 3 BTC.

Still, I was wondering - is there a new vulnerability out there I don't know about?

I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.

My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year.  That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.

I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.

Interested as well...

You're saying that your woefully weak password had been changed for more than a year?  How strong is the new one, and when exactly did you change to the new one?

No, my password was changed a week or two after the break-in, whenever that was. I'm not a very active user of Bitcoin, and certainly not of MtGox. Apparently, I decided to use a very weak password then, probably for expediency, since I knew of the hack and changed it just in case I forgot later.

Interesting...

I'd put money on the weak password being "guessed", but I am not sure how much MtGox does to stop guessers.  Still, someone with a large botnet could have them all trying various combinations of passwords with various usernames derived from that MtGox hack list until they find one that works.  That'd get around any IP-based bruteforce detection.  English word + two digits is probably fairly high on the list of "to try" combinations for dictionary attacks.

[niko]

Could you clarify the order of events:

You registered with mtgox with a weak pw
The "big" mtgox hack happened, user info leaked, some passwords cracked and phished
You changed your pw to a strong one
Your account gets hacked and 3 btc stolen

Right?

[gadsdengraphics]

put 2 factor authentication on withdrawals, then you'll never lose anything in your mtgox account again.

Yep.

I'm digging in their interface now, it looks like they offer software auth. If that will work with Google Authenticator, I'll probably use that.

Another thing they could do (they may, I don't know) is offer an option where withdrawals may only be made to addresses from which deposits have been made.

[moni3z]

Unless you used the same password somewhere else it was most likely the Android tablet.
That's why we need this: http://www.indiegogo.com/projects/freedroid

[gadsdengraphics]

Yeah, I know. 3 BTC.

Still, I was wondering - is there a new vulnerability out there I don't know about?

I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.

My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year.  That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.

I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.

Interested as well...

You're saying that your woefully weak password had been changed for more than a year?  How strong is the new one, and when exactly did you change to the new one?

No, my password was changed a week or two after the break-in, whenever that was. I'm not a very active user of Bitcoin, and certainly not of MtGox. Apparently, I decided to use a very weak password then, probably for expediency, since I knew of the hack and changed it just in case I forgot later.

Interesting...

I'd put money on the weak password being "guessed", but I am not sure how much MtGox does to stop guessers.  Still, someone with a large botnet could have them all trying various combinations of passwords with various usernames derived from that MtGox hack list until they find one that works.  That'd get around any IP-based bruteforce detection.  English word + two digits is probably fairly high on the list of "to try" combinations for dictionary attacks.

Even with the information I've given here, there are still somewhere between 900k and 2m permutations for that password. IP-based locks are one thing - but if an account had attempted to log in tens of thousands of times, you'd think they'd lock the account.

No, the person who did this almost certainly knew my password, either through obtaining a hash and applying a rainbow table to it, through some sort of keylogger, intercepting it on the wire, or through having access to it on another site. I don't *think* the last one is the case.

A MitM seems quite complex for this. I'm thinking the most likely scenario at this point is a either a vulnerability in MtGox's site, or someone at my workplace with access to their corporate "Big Brother" crap.

If no one else is complaining, I'm leaning heavily toward the latter - which is not to discount my own culpability, even a little. At the time I set that password, I was a fairly technical user but somewhat naive security-wise. That's by far the most likely, that they've had my password for months and have waited to use it.

Odd they chose now - I've been playing the market for a few weeks, starting with 1 BTC and working my way up to the 3 that was lost. They must not be checking often.

I hope I get ahold of account login logs That would give me something to chew on.

[gadsdengraphics]

Could you clarify the order of events:

You registered with mtgox with a weak pw
The "big" mtgox hack happened, user info leaked, some passwords cracked and phished
You changed your pw to a strong one
Your account gets hacked and 3 btc stolen

Right?

Not quite.

I registered with MtGox, just prior to the first bubble.
The MtGox hack happened.
I changed my password, to <4-letter word><2-digit year>.
Many months passed
Unauthorized withdrawal occurred
I changed to a real password

[gadsdengraphics]

Unless you used the same password somewhere else it was most likely the Android tablet.
That's why we need this: http://www.indiegogo.com/projects/freedroid

I think we'll see if that were the case.

My tablet is a Samsung Galaxy Tab 2, running a Cyanogenmod 10.1 nightly. I have BitcoinSpinner on there that housed my "just in case" coins - in other words, it was equivalent to my checking account, with around 50 coins most of the time.

I've left 3.xxxx coins on the device, at that address, to see if they're taken as well. If they are, then I can safely assume that is the vector.

I also left 3.xxxx coins in a Blockchain.info wallet, which I created on my work PC and stored the login credentials in a word document marked "Bitcoin Info" on my desktop.

If neither of those disappear, I really don't think my devices are the origin.

ETA: If both disappear, I guess I'll start suspecting my wife or my 4-year-old little girl

[gadsdengraphics]

Update in OP.

[Nagato]

I doubt it is "Big Brother" access at your workplace. MtGox uses SSL throughout, it is close to impossible for anyone to see any data sent between you and mtGox.

[gadsdengraphics]

I doubt it is "Big Brother" access at your workplace. MtGox uses SSL throughout, it is close to impossible for anyone to see any data sent between you and mtGox.

(Sorry to necro the thread, but I just saw this reply)

I don't think it was my employer either, but it's possible.

SSL puts the barrier high for intercepting the conversation in transit, but it's possible it could be MitM'd. Much more likely is that a combination of screen captures and keylogger would give it away. But, like I said - I don't see this as likely in my environment.

[Tomatocage]

Yes to the "does it work with Google Authenticator" question. That's what I use for 2FA for Gox.

[420]

I am assuming no 2FA enabled?

With password compromise usually it is
a) phishing attack
b) password re-use on another compromised site
c) keylogging


I am sure you realize it in hindsight but a 20 char lastpass passwords protecting a 6 char account password doesn't enhance security. Still I doubt you were brute forced as the account probably would be locked. 

how often is keylogging done and how can we tell
especially for windows 7