If your Mt. Gox account has been compromised, PLEASE READ.

[joepie91]

EDIT: If you cannot access your account and your e-mail address on your account has been changed, please post here as well with as much information as you have.

EDIT2: Added a question about password reuse, please update your posts

Ok, so I've seen a lot of topics appearing about Mt. Gox accounts getting compromised, and had it happen to myself as well - and I'm wondering what the scale of this is.

First, a few things:

My Mt. Gox account got broken into, what do I do?
First of all, do a virus scan, there are plenty of free antivirus applications that work fine - for example, Avast, Antivir/Avira, and AVG.
If you are tech-savvy or know someone who is, and you are on Windows, use applications like TCPView, Wireshark, and Security Task Manager to determine whether any suspicious network activity is taking place, or whether there are any suspicious processes running. Also check your Services for suspicious services.
Change your password. It should be:
* At least 12 characters long, more is better
* Contain letters (both lower and upper case), numbers, and if possible special characters
* Not have any dictionary words, names, or dates in it. The best password is a seemingly random password
* MOST IMPORTANTLY, not a password that you use somewhere else!
* Make sure your new password has a different length than your old one!
After you changed your password, check in your Mt. Gox account if your e-mail address is still correct.
Make sure that your password is NOT saved in your browsers "password manager"! If your browser asks you whether it should remember your password, choose No.
Be sure to read this post to the end!

How could this happen? Is Mt. Gox safe?
Right now it appears to be unclear on where this "attack" is coming from. At least some accounts had complex and/or long passwords, so bruteforcing seems unlikely, but it's possible.
If you had a short password and use an outdated browser (or Internet Explorer, or another browser that does not have this vulnerability patches), it is possible you got hit by the so called "CSS History Sniffer" vulnerability. Get an up-to-date browser that has this vulnerability patched - I believe at least Chrome and Firefox 3 are safe from this - and use a longer password.
While Mt. Gox being compromised is a possibility, there is no proof for it, and it's best NOT to assume that is the case - this may be an attempt at spreading fear and getting people to leave Mt. Gox.
It's best to wait for a response from MagicalTux on this. Personally I normally don't leave any funds in Mt. Gox (or any web wallet / exchange) any longer than necessary, exactly to avoid things like this. The only reason it happened now was because I was unable to access Mt. Gox at all for a long time, and thus didn't have the chance to withdraw my funds.

And now?
I personally think it's a good idea to collect as much data on what happened as possible. Please report in if you got hit as well, and answer the following questions:
* How much funds did you lose?
* To what address were your stolen funds sent?
* What OS are you using (Windows, Linux, Mac OSX ...)?
* How long was your old password?
* Was your old password random?
* Was your username the same on Mt. Gox as on the forum?
* Did you use your Mt. Gox password somewhere else?
* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
* Please also include a screenshot if possible so we know it's a real report.


I'll start out with myself.

Lost funds: about $200
Sent to: 16MHJtHA1dVJQZYcFf3iRAeF3dCFQeqTCi
OS: Windows 7 Home Premium
Password length: 20 characters
Random: Yes
Username the same: Yes
Password reused: No
Characters: uppercase, lowercase, and numbers.
Software: used Diablo Miner and pocblm
Screenshot:

[1714833593]

1714833593

[1714833593]

1714833593

[1714833593]

1714833593

[aherron]

Got compromised this morning.

Lost funds: about $2000
Sent to: 1PYrg3rujFzuczePRwdW8RV27s5cbRU1hE
OS: OSX 10.6 and Xubuntu 11.04
Password length: 11 characters
Random: No, non-dictionary word
Characters: lowercase, and numbers.
Software: Only the native mac client with no mining.
Screenshot: I'll have this up shortly.

[joepie91]

Got compromised this morning.

Lost funds: about $2000
Sent to: 1PYrg3rujFzuczePRwdW8RV27s5cbRU1hE
OS: OSX 10.6 and Xubuntu 11.04
Password length: 11 characters
Random: No, non-dictionary word
Characters: lowercase, and numbers.
Software: Only the native mac client with no mining.
Screenshot: I'll have this up shortly.

I just ninja-edited the first post, so it was probably not in the list you copied... do you have the same username on Mt. Gox as on the forums here?

[HaRRo]

MtGox or Bitcoin7?

[joepie91]

MtGox or Bitcoin7?

The main focus is Mt. Gox but if your account on another exchange/webwallet/mining pool got compromised, it might be useful to post here as well. There may be a targeted attack at multiple services.

[Slab Squathrust]

This taken with the allinvain events of the past few days are making me worried.  Nowhere is truly 100% safe.  Drives fail, websites get hacked, and natural disasters destroy houses.  While this shouldn't turn anyone off, it is important to remember no backup system is completely secure.  Sorry to hear that happened.  I almost put some Bitcoins in Mt Gox last night...   

[BitterTea]

Perhaps people are reusing passwords from other sites?

I'd recommend KeePass (haven't actually used it), LastPass, or SuperGenPass in order to combat this.

[BitterTea]

This hacking seems to be getting out of control.  People are losing a lot of money.  What can we do other than the above suggestions?  Strong passwords are no longer doing the trick.

Strong passwords don't help if there's some other attack vector. For instance, if you are using that same strong password on a site that is hacked and MtGox.

[randomguy7]

Please edit your posts to show if the mtgox password was used somewhere else. Is your mtgox email address something which could be easily guessed, like [mtgox-user-name]@[some-well-known-email-provider]?

[done]

any newbie reading this please keep your bitcoins seperated in many individual places in case one of your locations is compromised

[pippipcheerio]

Thanks, I may have a account hacked in the future. So this will help.

[Globz]

The recent hacking spree might be due to LulzSec releasing over 60k passwords + emails a week...be careful and change password often, never use the same password for different services.

[kwukduck]

Lost funds: $500
Sent to: 1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg
OS: Windows 7 Ultimate / Ubuntu 11.04
Password length: 9 characters alphanumeric
Random: contains dictionary words but mixed
Characters: lowercase, and numbers.
Same username on forum: yes
Software: native windows and linux client, diablo on ubuntu, phoenix on windows.
Screenshot:
these are the malicious transactions.

[joepie91]

The recent hacking spree might be due to LulzSec releasing over 60k passwords + emails a week...be careful and change password often, never use the same password for different services.

I know I don't reuse passwords myself (plus, I was not in the dump), so if that is related, that is at least not the only attack vector.

[wallet_dat]

was hacked and everything stolen this afternoon:

Lost funds: $1300
OS: Microsoft Windows Vista
Password length: 5 characters
Random: no
Characters: lowercase
Software: native client
Screenshot: working on it

[SomeoneWeird]

was hacked and everything stolen this afternoon:

Lost funds: $1300
OS: Microsoft Windows Vista
Password length: 5 characters
Random: no
Characters: lowercase
Software: native client
Screenshot: working on it

No wonder, I could've bruteforced that in 2 minutes.

[BitterTea]

Was anyone using this app, by any chance? I downloaded it the other day but decided against giving them my password. Noticed today that there is a new version that is now closed source. Coincidence?

[kiwiasian]

Lost 17.18 worth of BTC, valued at about $300 at the time.

http://forum.bitcoin.org/index.php?topic=18182.0

[F104]

Noob here with a noob question. I bought 9 BTC on Mt Gox just as I was picking up on Gox' security problems. I moved the BTC to my wallet. The status is "unconfirmed" and I went back to Mt Gox and changed my password there. Am I safe?

1. The BTC are *mine,* right, even if the transfer is not yet confirmed?
2. Once they are confirmed in my wallet, no one can get at them, right? (unless my computer is hacked in a more general way...I mean, the wallet is secure, right?)

thanks for your help

[beginningbitcoin]

Noob here with a noob question. I bought 9 BTC on Mt Gox just as I was picking up on Gox' security problems. I moved the BTC to my wallet. The status is "unconfirmed" and I went back to Mt Gox and changed my password there. Am I safe?

1. The BTC are *mine,* right, even if the transfer is not yet confirmed?
2. Once they are confirmed in my wallet, no one can get at them, right? (unless my computer is hacked in a more general way...I mean, the wallet is secure, right?)

thanks for your help

Yes you are safe.

[geebus]

* How much funds did you lose?

~20 BTC

* To what address were your stolen funds sent?

No clue, can't login to check.

* What OS are you using (Windows, Linux, Mac OSX ...)?

Windows 7 x64

* How long was your old password?

8-characters, mixed alphanumeric

* Was your old password random?

It was not a dictionary word.

* Was your username the same on Mt. Gox as on the forum?

No.

* Did you use your Mt. Gox password somewhere else?

The only other place I used it was on Slush's pool, about 4 months ago. Before launching Bitcoinpool.

* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?

Mixed alphanumeric.

* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.

Phoenix Rising. But never entered the password in it.

* Please also include a screenshot if possible so we know it's a real report.

A screenshot of what? ...my password was changed, and email removed from my account. I have no way to log in to retrieve any details of the account.
I can provide transaction details (withdraw amounts, and accounts) to MtGox to verify it is me, but aside from that, I'm just locked out.

[DrMoriarty]

EDIT: If you cannot access your account and your e-mail address on your account has been changed, please post here as well with as much information as you have.

I have another problem.
I have not been able to login into my mtgox account for three days. I use my own trading program. I can make orders and check balance with it. And I know my balance is ok.

But I can not login to withdraw any funds.
When I enter my login and password it only shows me start page with links "sign up" and "login". If I enter a wrong password I'll get an error message. But for right password it just doesn't work.

Does anybody know what happened?

PS: I have written to support twice but they keep silence.

PPS: I have registered a new account but I can't login with it. Does Mt.Gox think that I made ddos? Does it take revenge on me?

[secmff]

Yes, I installed that android app posted earlier. I did get a funny feeling about it and changed my password (in the browser, removed the app again).

Still I was not able to log into my account a few hours later. Got 1550 dollar and 170 bitcoins in that account. I'm working with Mt.Gox support now, to see what is going on exactly.
OS: Linux
Password Length: 8
Random: yes
characters: lower, upper and numbers

[jkminkov]

include browser version you use browser addons if any, is it dedicated for safe sites or it is your primary browser, how you close the site - close tab/window, do you use log-out?

do you have adobe pdf reader

[Vandroiy]

What does MagicalTux say about this? This looks extremely critical! I'm very happy now I did not increase the withdrawal limits.

Password bruteforcing cannot be an issue, since it is trivial to block IPs that have too many failed login attempts -- unless MtGox is allowing an insane amount of attempts from a single source, which would be very similar to openly accepting theft risks.

This should be resolved and the origin of the attack found ASAP. MagicalTux, please comment and analyze the cases at hand; also, explain your security measures against password extraction.

[rasengan]

Was anyone using this app, by any chance? I downloaded it the other day but decided against giving them my password. Noticed today that there is a new version that is now closed source. Coincidence?

Hi BitterTea :-)

I assure you our application is 100% safe and does not make any calls to anything outside of MtGox and BTC.to(when using the bitcoin address shortener).  This can be verified/validated using any tools such as wireshark, ethereal etc. so that you can validate these facts to be true.

If you are still worried or do not know how to sniff your device's outgoing packets (requires Intermediate to Advanced skill level), then an additional option is to use our discontinued, free version of our software on the Android Market called "MtGox Live Bitcoin Trader Free."  This version is older and is not optimized at all.  However, the source code is included with this release in the APK.  Simply view the /assets/Resources folder within the APK to review the code to validate its safety.

I hope this clears any information and misconceptions out there.  If you have any questions, please come find us in #MtGoxLive on IRC.Freenode.Net and we will discuss with you more about the software, how it works, and also provide you helpful hints on how to stay safe online and in the Bitcoin community.

Thanks!

[heli0s]

* How much funds did you lose?
Approx $2000 and 100 BTC
* To what address were your stolen funds sent?
Can't log in to check; email address was changed as well.
* What OS are you using (Windows, Linux, Mac OSX ...)?
Windows 7 x64
* How long was your old password?
I never divulge specifics regarding passwords, but it was at least 8 characters long.
* Was your old password random?
No.  It used multiple dictionary words.
* Was your username the same on Mt. Gox as on the forum?
No, but I've since discovered that someone on Mt. Gox has the same username as I do.
* Did you use your Mt. Gox password somewhere else?
No.  However, I did discover a similar password on a published list (but it wasn't any of my accounts on the list), so my guess is that whoever is doing this is using the published lists and performing some additional checks on variations on them.
* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
Yes; it contained all of them.
* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
Only the Bitcoin client and Phoenix mining software.  Nothing used the same password as what Mt. Gox used.
* Please also include a screenshot if possible so we know it's a real report.
Since I can't access the account, it isn't feasible to include a screenshot.

I've submitted a support ticket but I haven't had any response to it yet.

[coinonymous]

Just a note, looking into this I tried to log in; I was using tor at the time and it said:

Too many failure from your IP, temporarly blocked

Which suggests somebody is staging some sort of semi-brute-force dictionary attack.

This is consistent with the hypothesis that someone is executing an attack plan along the following lines:

• collect passwords -- or maybe just javascript-generated-hashes of passwords -- perhaps by peeking at tor exit node traffic, or perhaps by managing to secure VPSes on the same LAN segment as other popular bitcoin sites
• replay those passwords/hashes (I'm too lazy to figure out exactly how MtGox's login system works) at MtGox
• steal teh maneys

As has been pretty much suggested already in this thread.

 

[coinonymous]

For Christs sake, MagicTux, IMO at least quit camping/having sex/sleeping/flying in aeroplanes/etc for 10 minutes and just freeze all transfers in/out of MtGox until this is sorted out!  At this point any concern about how such a thing might reflect on your business or Bitcoin is surely dwarfed by the bad PR these theft allegations are generating?

One other observation.  There is a striking plurality of newbs purporting to be affected by this... which, to some extent, might suggest that the real nature of this attack might be some kind of weird social engineering trick either to make MtGox look bad or create Bitcoin FUD....

That's just an idea though -- sincere apologies to any innocent victims who I may very well be falsely indicting with that line of reasoning -- still it needs to be considered.  By hiring a handful of guys to repeatedly start new forum accounts and post that they were robbed on MtGox, an anti-Bitcoin-villain could create quite a bit of understandable anxiety about the safety and efficacy of BTC.  Anybody good at fingerprinting forum posters?

[Desu]

Wierd this is all happening right after the freeze this last weekend. The first big hack as well. (Poor Allinvain.)
Just Saying...

[TowlieLives]

You make a good point Coinonymous.  I honestly think Mt.Gox was compromised though, and they may not even know it considering it could have happened amidst the spike in trading and ddos attack.  All of the posts here are people that lost relatively large sums of money and coins, and I have seen posts elsewhere of the same thing happening.  After reading through all of these posts and the ones i've found elsewhere it seems the only thing all of these people have in common is Mt.Gox.  Sony is a multi-billion dollar company that has been doing business for a long long time, and they were absolutely destroyed by hackers.  In comparison, Mt.Gox is a young company that probably doesn't have anywhere near the security team Sony does.  It only makes sense!

[GeniuSxBoY]

Wait wait wait...


are we saying that people's cash-moneys have been stolen and sent to other people's banks from mt gox?

[citryphus]

One other observation.  There is a striking plurality of newbs purporting to be affected by this... which, to some extent, might suggest that the real nature of this attack might be some kind of weird social engineering trick either to make MtGox look bad or create Bitcoin FUD....

I don't know if Mt. Gox has been comprimised or not and I'm not ruling out your idea, but the fact that mostly newbs are posting here could be because (a) this is the only place they can post, and (b) they didn't register here until they had a reason to post, i.e. a problem.

[Run BTC]

Bitcoin are excellent! I love bit coin.

[Run BTC]

Wait wait wait...


are we saying that people's cash-moneys have been stolen and sent to other people's banks from mt gox?

I do'not think this can happen. BitCoin is Secure!

[coinonymous]

Heh.  This thread is rapidly degenerating.  Here's some interesting content for you though (I'm apperently too newbish to post url's so you'll have to type  "http://" yourself):

Code:

www.parttimepoker.com/private-poker-site-info-being-posted-on-anonymous-website

How many of y'all were using your compromised password on Stars/FTP?

I don't have a lot of verification on this story from anyone I particularly trust yet so please take it with a grain of salt for now.

[AntiVigilante]

EDIT: If you cannot access your account and your e-mail address on your account has been changed, please post here as well with as much information as you have.

EDIT2: Added a question about password reuse, please update your posts


While Mt. Gox being compromised is a possibility, there is no proof for it, and it's best NOT to assume that is the case - this may be an attempt at spreading fear and getting people to leave Mt. Gox.
It's best to wait for a response from MagicalTux on this. Personally I normally don't leave any funds in Mt. Gox (or any web wallet / exchange) any longer than necessary, exactly to avoid things like this. The only reason it happened now was because I was unable to access Mt. Gox at all for a long time, and thus didn't have the chance to withdraw my funds.

CSRF has been found. Having said that though bitcoin7 is riddled with them.

I'm still proposing that bitcoins themselves need to have unix like perms on them. Receive, Send, Operate. Wrap them up and they can't be transfered until there is a three way handshake.

[cronopio]

https://i.imgur.com/rLkFH.png

Yeah, I see this today in bitcoincharts.com

[Desu]

Wait wait wait...


are we saying that people's cash-moneys have been stolen and sent to other people's banks from mt gox?

Lawl, I love saying cash-monies.

[goldbit]

I think my account has been compromised.

I can login my account. After I login, I can still see my user name and my balance on the top right corner, but it said "Not logged in".

Can someone confirm me if my account is hacked??

Insert Quote
* How much funds did you lose?
not that much
* To what address were your stolen funds sent?
Can't log in to check; email address was changed as well.
* What OS are you using (Windows, Linux, Mac OSX ...)?
Windows 7 x64
* How long was your old password?
12 word,
* Was your old password random?
No really random
* Was your username the same on Mt. Gox as on the forum?
No
* Did you use your Mt. Gox password somewhere else?
Yes
* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
No
* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
Bitcoin, CPU-miner, namecoin,
* Please also include a screenshot if possible so we know it's a real report.


Am I screwed???

Update: I try to use forgot password function. I entered email, but it didn't work, so I think they changed my email.
So I submit my username to reset my password (even I know I won't receive the email).
But a few minutes later, I receive an reset password email in my original email account!
WTF is happening with Mt Gox???

Another update:
After I reset my password to 24 character, I am able to login and my fund is still there.
But I am very skeptical about using Mt Gox now.

[TrainDeluxe]

I also get this error on login now:

Too many failure from your IP, temporarly blocked

Does anybody know what it means or have sold it?

[geek-trader]

I also get this error on login now:

Too many failure from your IP, temporarly blocked

Does anybody know what it means or have sold it?

I was getting it, then I clicked "forgot password" and reset my password, and I can log in now.

[opticbit]

Mine hasn't been touched, but is a low balance, changed my pw just incase attacer was sitting on it, waiting for me to add more funds.

[MBH]

Was anyone using this app, by any chance? I downloaded it the other day but decided against giving them my password. Noticed today that there is a new version that is now closed source. Coincidence?

I saw the app in the market and it spooked me since it wasn't developed by MtGox itself.

My friend installed it & gave it access. I donno if he got compromised or not (if not, he probably doesn't have worthy funds).

I highly suspect this app.

[joepie91]

I will list some of the found (potential) attack vectors here and their relation to my own account (I can only speak for myself):

* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.
* CSS history vulnerability - not applicable to my account, unfeasible for non-dictionary passwords over 6 characters (mine was randomized 20)
* Android app - not applicable to my account, I do not have an Android phone nor have I ever touched the app, I have also never entered my Mt. Gox details anywhere but on Mt. Gox itself
* Malware/keylogger/etc - almost certainly not applicable to my account, I turned my entire computer upside down with manual analysis (something I already do regularly) and haven't been able to find anything
* Distributed bruteforce (using a botnet) - possibly applicable to my account, but unlikely due to password length... it IS a possibility however, with a large enough botnet it's feasible.

Now the question is, what is the cause for my account (and potentially others)? I believe there's a mix of different attacks being used here.

[lechuck]

have you guys considered that mt.gox servers themselfes might be compromised with backdoors, hosted at a insecure location or their passfiles might have been stolen? pfiles get stolen all the time from porn sites and such, all it takes is the pfile, a good wordlist or rainbow table and jack the ripper to decrypt the password hashes.

[jondecker76]

It has been proven that MtGox has been compromised via a CSRF attack.  I lost 20BTC myself,

06/14/11 15:45 Withdraw BTC 17RT6Ne994VjC762wh7TpXRdrZRMbhJSUC -20.19 0 0.009 0.059

I also emailed MtGox as soon as I found out, and received an automated reply and assigned support ticket #1605

From my understanding, all you have to do is have the MtGox webiste open in your browser at the same time as another website running the attack.  I commonly open all of my bitcoin related sites in separate tabs in firefox (not anymore!).

My question is, is MtGox going to refund our money that they failed to secure?  20 BTC may not seem like a lot to some people, but it was a lot to me, and rightfully mine.  I  hope they do the right thing for those that lost money due to their security flaw.
(in fact, I would even continue to use MtGox now that they have fixed the problem, and they did the right thing in returning money to those that lost out)

[apflux]

* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.

Maybe a CSRF attack that changed your password and the funds were transferred later?

[joepie91]

* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.

Maybe a CSRF attack that changed your password and the funds were transferred later?

My password was never changed, I could still access my account - just the funds were converted to BTC and then transfered away.

[apflux]

My password was never changed, I could still access my account - just the funds were converted to BTC and then transfered away.

So if it wasn't a XSS attack and the passwords were strong, it could only be that either the clients, the servers or the network traffic was compromised. Was any victim using linux? I tend to the servers, but how can you tell?

[randomguy7]

Has a site been found which actually performs the CSRF attack? Maybe some well visited bitcoin site is vulnerable to xss and got the attack code included.

[joepie91]

My password was never changed, I could still access my account - just the funds were converted to BTC and then transfered away.

So if it wasn't a XSS attack and the passwords were strong, it could only be that either the clients, the servers or the network traffic was compromised. Was any victim using linux? I tend to the servers, but how can you tell?

Yes. If you read the reports in this thread, you will see several people were using Linux.

I have also just seen a report of someone allegedly selling the Mt. Gox database. It would be nice if we could get a response from MagicalTux on all of this.

[Megamind]

My account is safe although it has only a few BTC. Anyway, my new password is looooong.

[evileric]

Thankfully I'm not one of those affected as I'm still hoarding my coins and biding my time. The markeyts will mature and securirty will improve with time, still, remember the old saying:j Don't put all of your eggs in one basket, or keep all of your coins in one wallet

[F104]

It would be nice if we could get a response from MagicalTux on all of this.

I'm beginning to think we have heard all we are ever going to hear from him.

[joepie91]

It would be nice if we could get a response from MagicalTux on all of this.

I'm beginning to think we have heard all we are ever going to hear from him.

To be fair, he posted a thread today at http://forum.bitcoin.org/index.php?topic=18858 - however, so far it looks a lot like deny-everything marketing talk, although I may be wrong.
Plus I don't understand why he doesn't just implement two factor authentication (through email) instead of a withdrawal password, as the latter can still be circumvented when someone indeed successfully exploits the site to a point where he has database read access.

[zzyyxx]

as Jondecker76 said
  "I have stepped forward on a few other posts - I also had money stolen from my MtGox account (20.19 BTC)
I even reported it to MtGox with no reply (this report was made before it was announced that there was a security exploit found).
It has recently been revealed that MtGox did in fact have a vulnerability, and someone even showed them the exploit by using it to prove it was there. There are also a dozen or so of us that have had this happen. Yet, the owner claimed that he can see no evidence in his logs that our money was lost due to the exploit, and that he is not going to refund anybody for the BTC stolen from his (insecure) site.
I for one will never use MtGox again.  Its one thing to make a mistake and have such a simple exploit left open it happens. Its another thing to not own up to your responsibilities as a responsible business owner. Look at the number of trades on his market, look at his fee and do the math.  Bottom line is that he makes very good money from his userbase, and should be trivial to do the right thing for a few handfuls of users that lost modest amounts of bitcoins.  I don't know if it can be proven one way or another whether or not the withdrawn funds were via an exploit or not - but honestly, look at the evidence"

having been a victim of this security flaw myself, I dont see why, considering the mass amount of cash mtgox is pulling in right now. they don't reimburse the people who, in say the 24 hour or 48 hour window this scam occurred, and reported a trouble ticket to them in that time (seems all happened on the 15th 16th) even if from their own funds for gods sake... up to say "x" amount, but whatever... I guess that's why I don't run a business.

[Big Time Coin]

having been a victim of this security flaw myself, I dont see why, considering the mass amount of cash mtgox is pulling in right now. they don't reimburse the people who, in say the 24 hour or 48 hour window this scam occurred, and reported a trouble ticket to them in that time (seems all happened on the 15th 16th) even if from their own funds for gods sake... up to say "x" amount,

qft

if they are a financial institution, they have to have fraud recovery efforts.  He is trying to be legit, maybe he will come around when he thinks that hey I should have spent the money on security, now i have to pay for the breach.

[osborn_20]

sht this looks bad. This is could diminish the trust on the system on the long run.

Maybe at this point we need security companies getting involved in bitcoins security and banking. A lot of people wouldn't mind paying extra, knowing that their account is not gonna get hacked, or somebody is gonna rob their computer and lose everything.

Also doesn't anybody think is suspicious that all this attacks are happening at the same time?.

[CamelToeBob]

I will list some of the found (potential) attack vectors here and their relation to my own account (I can only speak for myself):

* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.
* CSS history vulnerability - not applicable to my account, unfeasible for non-dictionary passwords over 6 characters (mine was randomized 20)
* Android app - not applicable to my account, I do not have an Android phone nor have I ever touched the app, I have also never entered my Mt. Gox details anywhere but on Mt. Gox itself
* Malware/keylogger/etc - almost certainly not applicable to my account, I turned my entire computer upside down with manual analysis (something I already do regularly) and haven't been able to find anything
* Distributed bruteforce (using a botnet) - possibly applicable to my account, but unlikely due to password length... it IS a possibility however, with a large enough botnet it's feasible.

Now the question is, what is the cause for my account (and potentially others)? I believe there's a mix of different attacks being used here.

The message from mtgox makes it sound like some type of XSS.

[joepie91]

sht this looks bad. This is could diminish the trust on the system on the long run.

Maybe at this point we need security companies getting involved in bitcoins security and banking. A lot of people wouldn't mind paying extra, knowing that their account is not gonna get hacked, or somebody is gonna rob their computer and lose everything.

Also doesn't anybody think is suspicious that all this attacks are happening at the same time?.

Bitcoin has had a lot of attention lately. Of course there will be attacks from every side. People who just want to earn a buck from it in less elegant ways, and people who want to see Bitcoin vanish off the earth.

I will list some of the found (potential) attack vectors here and their relation to my own account (I can only speak for myself):

* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.
* CSS history vulnerability - not applicable to my account, unfeasible for non-dictionary passwords over 6 characters (mine was randomized 20)
* Android app - not applicable to my account, I do not have an Android phone nor have I ever touched the app, I have also never entered my Mt. Gox details anywhere but on Mt. Gox itself
* Malware/keylogger/etc - almost certainly not applicable to my account, I turned my entire computer upside down with manual analysis (something I already do regularly) and haven't been able to find anything
* Distributed bruteforce (using a botnet) - possibly applicable to my account, but unlikely due to password length... it IS a possibility however, with a large enough botnet it's feasible.

Now the question is, what is the cause for my account (and potentially others)? I believe there's a mix of different attacks being used here.

The message from mtgox makes it sound like some type of XSS.

How exactly would an XSS work in this case? I have never followed any links to Mt. Gox from external sites, and my account was broken into at a point where I couldn't even access Mt. Gox (probably due to the DDoS attacks).

[Grant]

sht this looks bad. This is could diminish the trust on the system on the long run.

Maybe at this point we need security companies getting involved in bitcoins security and banking. A lot of people wouldn't mind paying extra, knowing that their account is not gonna get hacked, or somebody is gonna rob their computer and lose everything.

Noshit it looks bad, it was enough to completely diminish my trust in the system, and i've been bitcoin enthusiast since december. Imagine how "attractive" this looks for someone who considers to invest. If this happened in december when i discovered bitcoin i'd certainly run far away from here.

We don't need "banking", there is no way to track funds to a person anyway (we can track the block explorer yes but that's it, it may be a thiefs account and it may be someone who pretends to be a victims 2nd wallet). What's needed is better security, until then i'm taking most of my bitcoin savings far away from bitcoin.

[joepie91]

sht this looks bad. This is could diminish the trust on the system on the long run.

Maybe at this point we need security companies getting involved in bitcoins security and banking. A lot of people wouldn't mind paying extra, knowing that their account is not gonna get hacked, or somebody is gonna rob their computer and lose everything.

Noshit it looks bad, it was enough to completely diminish my trust in the system, and i've been bitcoin enthusiast since december. Imagine how "attractive" this looks for someone who considers to invest. If this happened in december when i discovered bitcoin i'd certainly run far away from here.

We don't need "banking", there is no way to track funds to a person anyway (we can track the block explorer yes but that's it, it may be a thiefs account and it may be someone who pretends to be a victims 2nd wallet). What's needed is better security, until then i'm taking most of my bitcoin savings far away from bitcoin.

The issue is not with Bitcoin. It is perfectly possible for someone to set up a Bitcoin bank, that has insurance against theft etc, just like "conventional" banks. The issue here lies with Mt. Gox, which is only a single independent exchange. Bitcoin itself (as an idea and protocol) is technically sound. The only thing I am missing is wallet encryption in the client by default, but that can be overcome for now by storing a wallet on a machine that is not connected to the internet, using third-party encryption software.

Bitcoin is much like digital cash, with the difference that you can encrypt a Bitcoin wallet, while you can't encrypt an IRL wallet.

[alexanderanon]

Any reports of problems with TradeHill, anyone?

[joshuad31]

any newbie reading this please keep your bitcoins seperated in many individual places in case one of your locations is compromised

...and make sure no one else has access to the places you stored your files in.

Obviously this is the dawn of a new age of cypto currency but if they ever expect bitcoin to become mainstream and not just somebody's hobby shouldn't all these issues be addressed by the software programmers of bitcoin.  I mean do you really want to solve this problem?  Well its easy. Let me outline the steps:

1. The bitcoin software needs to encrypt the wallet file.  It read/writes to a wallet that always remains encrypted
2. If you really want bitcoin to go mainstream then it seems to me like incorporating a trading mechanism like mtgox directly into the software itself would seem wise.  That way you don't need to rely on an ewallet system which can be compromised every time you need to convert currency.

Till these two problems are solved how can anyone rely upon bitcoin as a reliable and secure means of currency?

~J

[mahun]

http://forum.bitcoin.org/index.php?topic=19221.0

in short:
did not reuse password.
did not use email during registration, instead wrote down login/password to keepass.
brand new mtgox.com account.
funded it with 50.56 and after 3-4 hours unable to login to site.
it could not be hacked from email, since email was not used during registration.
no trojans found and computer was offline.
did not visit any websites in between so recent CSRF issue did not affect me.

[JTaBitCoinKing]

Well that Dollor is no less doomed then the Bitcoin.

[neneko]

any newbie reading this please keep your bitcoins seperated in many individual places in case one of your locations is compromised

...and make sure no one else has access to the places you stored your files in.

Obviously this is the dawn of a new age of cypto currency but if they ever expect bitcoin to become mainstream and not just somebody's hobby shouldn't all these issues be addressed by the software programmers of bitcoin.  I mean do you really want to solve this problem?  Well its easy. Let me outline the steps:

1. The bitcoin software needs to encrypt the wallet file.  It read/writes to a wallet that always remains encrypted
2. If you really want bitcoin to go mainstream then it seems to me like incorporating a trading mechanism like mtgox directly into the software itself would seem wise.  That way you don't need to rely on an ewallet system which can be compromised every time you need to convert currency.

Till these two problems are solved how can anyone rely upon bitcoin as a reliable and secure means of currency?

~J

The first problem confuses me a little, mostly because these attacks had absolutely nothing to do with anyones wallet file.

The second is just a terrible suggestion and goes against the very basic principles of bitcoin and what it's supposed to be.

Safer banking solutions would be great and they will no doubt come when bitcoin grows bigger but for now just calm down a little and look at what actually happened. These attacks happened due to a site (mt. gox) having security flaws and the attacks only affected accounts at that site. They had nothing to do with how bitcoin works as a currency.

[TheMummy]

I can't login using my account. It was fine about an hour ago. My email has been changed as well so I can't get my password back.

My ticket: #1899

[Mr2001]

I can't login using my account. It was fine about an hour ago. My email has been changed as well so I can't get my password back.

My ticket: #1899

Same here. Ticket #1912. I can't log in, and password recovery says no email address is on file (but I believe I set one when I signed up).

I've been using a separate browser for mtgox, with no other pages open, ever since I heard about the CSRF exploit. I tried to change my password at that time too, but when I clicked "Change", the page flickered but nothing happened (on multiple browsers).

[fasthands]

Change your Mt. Gox password. Twenty charters in best, with both uppercase and lowercase letters along with a few numbers. No words from the dictonary!

[Mr2001]

Change your Mt. Gox password. Twenty charters in best, with both uppercase and lowercase letters along with a few numbers. No words from the dictonary!

Am I the only one who was unable to change passwords?

[mikef]

My account was locked today - not able to get in or recover password. Reading the forums, I was already hopeless. But finally mtgox support got back to me and reopened the account. I hear this is related to tracking stolen bitcoins.

So if you're in the same situation, not being able to log in (instead of malicious transactions), contact mtgox support.

[puppy1014]

My acc has been hacked and i lost 5 BTC the id and the pass don't match  no way i sure about my password. I use Avira and Zone Alarm latest so this  is't have any trojan or keylogger in my PC  . So i think mtgox steal my acc ?
my ticket # 1942 now i can't do anything with my account ( login , recover my pass i think someone changed it )

[joepie91]

Update: Mt. Gox was compromised, the database of users was released. I believe the thread here was removed, but many people will probably be able to verify it.

Change your passwords now.

^{I told you so}

[digimag]

Hey hey…

I believe people at MTGOX are little stupid kids.

Do not change your password.

Just delete your damn MT GOX account and go find a more trustworthy site.

I've just downloaded that CSV file with all the informations, I can't believe it.

Mt GOX IS NOT SECURE.

Mt Gox is a fucking security hole and you'd better get out of there quick.

For instance, try Trade Hill.

[digimag]

Update: Mt. Gox was compromised, the database of users was released. I believe the thread here was removed, but many people will probably be able to verify it.

Change your passwords now.

^{I told you so}

As I said, there is no use to change your password if it will be hacked again.

What just happened is just not serious. It's such a fucking joke I can't believe it.

I would recommend to get out of there and go somewhere else.

If those people can not secure their web server, they should be responsible for it and assume the consequences.

[tomfmason]

I like how the orginial thread was removed. Cover up or what?

weaksauce imo

[mvd7793]

Anyone tried 1Password? I've been looking at getting that.

[joepie91]

Update: Mt. Gox was compromised, the database of users was released. I believe the thread here was removed, but many people will probably be able to verify it.

Change your passwords now.

^{I told you so}

As I said, there is no use to change your password if it will be hacked again.

What just happened is just not serious. It's such a fucking joke I can't believe it.

I would recommend to get out of there and go somewhere else.

If those people can not secure their web server, they should be responsible for it and assume the consequences.

I was not just talking about Mt. Gox password, but passwords everywhere. Judging from the few passwords that were posted (cracked) on Pastebin as well, a lot of people are reusing passwords.

Hey hey…

I believe people at MTGOX are little stupid kids.

Do not change your password.

Just delete your damn MT GOX account and go find a more trustworthy site.

I've just downloaded that CSV file with all the informations, I can't believe it.

Mt GOX IS NOT SECURE.

Mt Gox is a fucking security hole and you'd better get out of there quick.

For instance, try Trade Hill.

Nice referal link spam, bro.

Also, personally I would advise people to use an exchange that runs on an open-source platform. Tradehill (and most other exchanges) are just yet another proprietary platform of which you have no guarantees regarding security. You can not look through the code (noone can, really), and will have to blindly believe that they can not be compromised.

[agedet]

Screw MtGox, moving my money to Tradehill.  Used code TH-R15720 when signing up to get reduced fees.

[SoggyMoggy]

Has anybody been able to confirm that their account balances at MtGox are safe? I have a small about of BTC there (ready for sale - more than 1, less than 10). It's only a small amount (as I don't yet trust MtGox) and I moved it there last week.

I am a newbie, and I'm just experimenting with purchases and sales of smaller amounts before investigating the currency further. The recent events at MtGox are indeed troubling... I hope they haven't lost my BTC...

[PandaMiner]

Now that mtgox closed their exchange, how can I tell if I got hacked?

I have read people mention that they checked the "dump" and found their info in it with their email changed (or not changed). Where is this dump?

EDIT: Google Mail just asked me to verify myself due to suspicious activity.  I did use the same 9 char. password as my email on mtgox.

I'm scared.

[joepie91]

Screw MtGox, moving my money to Tradehill.  Used code TH-R15720 when signing up to get reduced fees.

How do you know Tradehill is any more secure than Mt. Gox?

Quite a lot of people using this opportunity to have people flock to Tradehill (which has no guarantees of being secure either), conveniently including a referal code (which smells a lot like referal spamming.)

[PandaMiner]

I heard TradeHill's referral codes use to give 30% discounts, now they are only 10%.

[GeniuSxBoY]

how the hell do I know tradehill can't get hacked

[BitcoinPorn]

how the hell do I know tradehill can't get hacked

You don't.

There is risk with no insurance.

Welcome to Bitcoin.

[Blackhawke]

Anyone tried 1Password? I've been looking at getting that.

Personally I've been using LastPass over over year and am quite happy with it. They also have smart phone apps for all platforms I think. If you're an Android user, there's even a LastPass plugin for the Dolphin web browser.

Just my 2 DoBits. You can keep the change. 

[joepie91]

I got a gmail notification about account security compomised, meaning someone attempted to password guess their way through google, meaning my shit was in the leak.

Thankfully I use a different password for erryting.

I believe a Bitcoin community member that is working for / related to Google, has flagged all the Gmail accounts in the leaked database, to prevent breakins.

[Technopope]

How much funds did you lose?

17 BTC and a dollar value of under one dollar.


To what address were your stolen funds sent?

There is no way to check, as I couldn't log in with my email address.


What OS are you using (Windows, Linux, Mac OSX ...)?

Windows 7, all updates current.


How long was your old password?

20 characters.


Was your old password random?

Not random, but generally considered "strong". Certainly not guessable.


Was your username the same on Mt. Gox as on the forum?

This is my first post, having just registered for this topic. Same as DeepBit though...


Did you use your Mt. Gox password somewhere else?

No, but a 10 character variation of it was used at DeepBit. Now changed.


Did your old password contain lowercase letters, uppercase letters, special characters and numbers?

A mix of lowercase and numbers.


Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.

Only GUIMiner v2011-05-21


Please also include a screenshot if possible so we know it's a real report.

No screenshot available, as the MtGox account is inaccessible. I reregistered at MtGox and sent in a ticket describing my situation.

[Technopope]

qft

if they are a financial institution, they have to have fraud recovery efforts.  He is trying to be legit, maybe he will come around when he thinks that hey I should have spent the money on security, now i have to pay for the breach.

But MtGox is not a financial institution. It is just a guy who started trading online game items,  (Magic The Gathering Online eXchange) and progressed to BitCoins. 

Hopefully he will and is financially able to do the right thing. If he doesn't try, MtGox as a BitCoin exchange is over. Of course, if things are as bad as some people are hypothesizing, MtGox is finished anyway.

Let's hope things work out.

[Technopope]

Now that mtgox closed their exchange, how can I tell if I got hacked?

I have read people mention that they checked the "dump" and found their info in it with their email changed (or not changed). Where is this dump?

EDIT: Google Mail just asked me to verify myself due to suspicious activity.  I did use the same 9 char. password as my email on mtgox.

I'm scared.

Yes, you are on the list, along with your gmail address, number 3419 out of 61,016 users listed at MtGox.

Understand that the passwords are not directly readable, and must be run through some fairly intense computational power to crack. Very similar to the way BitCoins are mined, actually. Takes a *long* time...

However, I had a 20 character password, using both letters and numbers, and exclusive to MtGox. Looks like my email address was changed in my account and I can't log into my account. I have to assume it lost.

Just change all your passwords that are similar and associated with that address.

[pharmhero]

First post.

Thankfully I had nothing stolen because I took my coins out just yesterday cause I was afraid MtGox wasn't secure. 

Here is what interested me.  If you look at the leaked list of user accounts it has as the first user jed@thefarwilds.com  Just a little investigative work finds that the first registered user of MtGox is actually Jed McCaleb, creator the the P2P program eDonkey2000! 

What exactly does he have to do with MtGox and what does he know about this.  Was MtGox his coding? I know MtGox stands for "Magic: The Gathering Online Exchange" and Jed's The Far Wilds looks just as dumb.

So is this a coincidence or does he have something he would like to share with the rest of us?

[ErgoOne]

1) I'm a brand new Bitcoin user with no Bitcoins.  According to Mt. Gox, my brand new account and password were compromised, but there was nothing for any intruder to steal.

2) Password: 16+ characters, random, upper-case/lower-case letters, numbers, symbols. (I'm anal about passwords.)

3) I do not reuse any passwords on any account that has access to any financial transactions.  This includes bank, payment processor, Bitcoin trading, and any online business where I do business.  I save my passwords in a GPG-encrypted file, keep copies backed up various locations.

4) Mt. Gox currently indicates that the compromise was through the user account of an auditor who has read-only access to the system.  They aren't sure how yet.  My guess is either a spear phish (personalized "phish" email) claiming to be from Mt. Gox, or a trojan with a keylogger that stole their password.

This is scary. :/  However, I"m glad it happened now and not later.  The entire Bitcoin system needs to be made both more secure and more easily usable while secure than it is currently.  I would like to see Bitcoin gain wide acceptance and use outside of the geek world -- the human race needs a digital replacement for cash, and this is the best idea I've seen yet on how to do it.  But I don't see that happening until the security of wallets is ensured (by encrypting them by default), and online trading and payment methods for Bitcoin approach the security of my bank's online banking system.

[bc4md]

I had nothing on MT gox thank god but I'm still waiting for a transfer from BC market.  

Either that I'm still having generating block issues.

[cconover]

Mt Gox and other Bitcoin markets ought to enable and encourage the use of some form of multi-factor authentication.  I use a Yubikey in conjunction with my Lastpass account (Lastpass generates very strong, unique passwords for every site so I'm not concerned about my Mt Gox password providing access to anything else), and it's a fantastic and open source authentication system.  Since Bitcoin is growing exponentially in usage and legitimacy, trading services should be growing with it and hardening their systems both on the code side, and on the user interaction side.  Many banks offer or require multi-factor authentication, why shouldn't Bitcoin services?

[bitcoin.monger]

Regardless how strong your password is, if it's not stored with a strong hashing method on the server it makes no difference. When MtGox was originally launched, it appears it was using MD5 for hashing. This was a very poor decision, MD5 is not secure (although it has been a de-facto standard for years, and change is hard  ) It appears that lately they have decided to move to something better and offer two-factor authentication etc. Hopefully we will see less incidents in the future.

[chr15m]

Just a heads up that someone is sending a lovely .exe trojan to all mtgox users under the guise of "info@mtgox.com" from wiscointl.com.cn - the subject of the email is "[Mt.Gox] Account Certificate Download."

You probably do not want to run the exe.

[chr15m]

The Reply-To address is "info_@mtgox.com". Does this mean that the mtgox.com machine is compromised too and they have set up a special mailbox there?

This should probably be posted on the non-newbies part of this forum.

[conbitcoin.com]

Just a heads up that someone is sending a lovely .exe trojan to all mtgox users under the guise of "info@mtgox.com" from wiscointl.com.cn - the subject of the email is "[Mt.Gox] Account Certificate Download."

You probably do not want to run the exe.

Thanks alot for the info !

[pharmhero]

I'm going with LastPass.com  It seems secure and well written

I'm redoing all my passwords with it

[henri]

Now that mtgox closed their exchange, how can I tell if I got hacked?
I have read people mention that they checked the "dump" and found their info in it with their email changed (or not changed). Where is this dump?
EDIT: Google Mail just asked me to verify myself due to suspicious activity.  I did use the same 9 char. password as my email on mtgox.
I'm scared.

You should be.
Your Password has been compromised and the username /email / password is public now.
Hacker around the world will try to hack into whatever accounts you may have (google, paypal, amazon, facebook..) with these data.
So if you use this Password somewhere else, change it! NOW, EVERYWHERE.

Google and some other services have a 2-step verification, you should activate this.

[Technopope]

The Reply-To address is "info_@mtgox.com". Does this mean that the mtgox.com machine is compromised too and they have set up a special mailbox there?

No. Any email can have any reply-to address.

If you examine the *full* header of the email, you should be able see the actual path of where it originated. An application such as Mozilla Thunderbird allows this under "View-Headers-Full". I don't think most web-based email reader easily allow this.

[morr]

I'm going with LastPass.com  It seems secure and well written

I'm redoing all my passwords with it

KeePass has been my choice for password storage for ages now.

http://keepass.info/

[mieomeo]

How much funds did you lose?
50 BTC, a few dollars, and 11 more BTC were coming just before I couldn't log in to my account.

To what address were your stolen funds sent?
There is no way to check, as I couldn't log in.

What OS are you using (Windows, Linux, Mac OSX ...)?
Windows 7

How long was your old password?
25 characters.

Was your old password random?
Yes.

Was your username the same on Mt. Gox as on the forum?
Yes, but I've just registered this forum account for this breakdown issue.


Did you use your Mt. Gox password somewhere else?
No.


Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
All of them.

Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
Only GUIMiner.

Please also include a screenshot if possible so we know it's a real report.
No screenshot available, as the MtGox account is inaccessible.

[HatlessCat]

sigh i like that company already

[chr15m]

The Reply-To address is "info_@mtgox.com". Does this mean that the mtgox.com machine is compromised too and they have set up a special mailbox there?

No. Any email can have any reply-to address.

If you examine the *full* header of the email, you should be able see the actual path of where it originated. An application such as Mozilla Thunderbird allows this under "View-Headers-Full". I don't think most web-based email reader easily allow this.

What I mean is, why would they set the Reply-To header to "info_"? I think they're trying to trick people into replying to that address instead of info@mtgox.com because they have somehow set up a redirect address from there which they can use to continue to fool people.

[dego]

A bad day for Mt. Gox users. I decided to change over to TradeHill.com and hope that their security will be better. Right now they also stopped services to give users time in case they used the same password on both exchanges (just NEVER do that!)

[ribuck]

... the first registered user of MtGox is actually Jed McCaleb, creator the the P2P program eDonkey2000! 

What exactly does he have to do with MtGox

Jed McCaleb (of eDonkey2000 fame) was the creator of MtGox. He operated it for a few months before selling it to the current owner (MagicalTux's corporation).

[arkados]

Extreme caution for all registered users of Mt.Gox, please.
Plenty of spam, phishing and malware coming. Bitcoin now is serious business to hackers, so at least use standard security (encrypted wallet.dat, 1 password per website, strong passwords, separate email addresses,...)
Since Windows users are especially targeted, we've got to teach the security basics, I fear 

[bitcoin.monger]

Tradehill will hopefully learn something from all this, as well as the users...

[jeanjean]

Hello,

I am another bitcoin newbie being hacked.

They logged into the site www.mybitcoin.com where I was using the same password and stole everything there (which was ~0.5 BTC).


The bitcoin address which benefited from the stolen BTC is : 1MAazCWMydsQB5ynYXqSGQDjNQMN3HFmEu
The transaction happened at "2011-06-20 10:09:28". Finaly, the exact sum they took was 0.500001


I hope people here will stop the thieves. Anyway, I doubt it as theire hack was really well done hack, programming bots to check the various services (emails, online BTC clients, probably more) with the obtained passwords. But maybe it's possible to stop them from exchanging the bitcoins.

PS : I will consult my PM here if anyone needs more information about my case, but there are just *too many* posts about it for me to follow and reply directly in the forum (and I'm restricted to the newbie section for now).

[bitcoin.monger]

jeanjean, sorry to hear about it, but I guess you will survive 
It's the first time I hear about mybitcoin being hacked. Maybe you should start a new thread about that where people can report?

[jeanjean]

Sorry for the flood, I thought I should give more informations by responding carefully to all the questions from the OP.

So :

* How much funds did you lose?
-0.500001

* To what address were your stolen funds sent?
1MAazCWMydsQB5ynYXqSGQDjNQMN3HFmEu
The transaction was done on www.mybitcoin.com where I used the same password.
I did not have a single BTC or $ in my Mt Gox account.

* What OS are you using (Windows, Linux, Mac OSX ...)?
Linux

* How long was your old password?
12 characters

* Was your old password random?
no, but it was a non-dictionary word and it was not linked with my login

* Was your username the same on Mt. Gox as on the forum?
Yes, "jeanjean" (and I'm number 31478 in the leaked .csv)

* Did you use your Mt. Gox password somewhere else?
Yes, on www.mybitcoin.com (and only there, I use more secured passwords usually)

* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
only lowercase letters

* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
none, apart from mybitcoin.com

* Please also include a screenshot if possible so we know it's a real report.
I did so there (blacked out the other irrelevant transactions). For some reason I could not upload my picture on the forum, so here is the link : http://www.imagup.com/data/1123238572.html

[nobod]

Lost 10.88 BTC and 198 USD on MTGOX 

[vivithemage]

I'd love to see some sort of iphone app authenticator for the log in.

[mike85123]

how does everyone know how much they lost?? I didn't think anyone could access anything.

[arkados]

how does everyone know how much they lost?? I didn't think anyone could access anything.

Nobody lost.

[jondecker76]

Maybe nobody lost in the sellout event, but I assure you myself and others ask got BTC stolen out of out accounts in the days preceding the sell off.
It has already been proven on other threads that cracking the hashed passwords is relatively easy- people in the thread had already cracked a thousands if the hashed passwords

[Siem0]

mybitcoin account also got cleaned out. 


* How much funds did you lose?
-69.28

* To what address were your stolen funds sent?
1MAazCWMydsQB5ynYXqSGQDjNQMN3HFmEu
The transaction was done on www.mybitcoin.com where I used the same password.
I did not have a single BTC or $ in my Mt Gox account.

* What OS are you using (Windows, Linux, Mac OSX ...)?
Windows 7

* How long was your old password?
8 characters

* Was your old password random?
yes

* Was your username the same on Mt. Gox as on the forum?
Yes

* Did you use your Mt. Gox password somewhere else?
Yes, on both  mybitcoin and deepbit

* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
lowercase letters and numbers

* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
yes, in the past I've used gui miner, poclbm, phoenix1.4 and rpcminer

* Please also include a screenshot if possible so we know it's a real report.
http://s4.postimage.org/gp06pl8su/btc_theft.jpg

[vergodusk]

im still kinda confused? i know when i tried to log in this morning it seemed that i didn't even have and account with MtGox. I havn't contacted customer service yet, but i do feel fortunate that i only had about $9.00 USD in it!

[zzeroo]

Last 2 days I receive tons of email like this

Dear Mt.Gox user,

Our database has been compromised, including your email...

The joke about, I've never registered to Mt. Gox. Is Mt. Gox in colaboration with this forum? Or any officiel Bitcoin site?

[botnet]

mybitcoin.com hacked, same address as others

* How much funds did you lose?
4.53 BTC from mybitcoin.com

* To what address were your stolen funds sent?
1MAazCWMydsQB5ynYXqSGQDjNQMN3HFmEu

* What OS are you using (Windows, Linux, Mac OSX ...)?
Windows 7 x64

* How long was your old password?
12 characters

* Was your old password random?
Yes

* Was your username the same on Mt. Gox as on the forum?
Yes

* Did you use your Mt. Gox password somewhere else?
Yes, mybitcoin

* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
Yes

* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
Yes, phoenix official build

* Please also include a screenshot if possible so we know it's a real report.
http://i56.tinypic.com/2hn99xw.png

[Infinity1]

I saw it crash to a couple cents per coin. Luckily I didn't register there yet...

[LittleGnome]

I don't know if I've lost anything, because I can no longer access my mybitcoin.com account. They have a notice up saying that if your user name and email were the same as one found in the MtGox leak they reset your password, and "We will send you a new one to your email address".

Haven't got it.

Ironically I had already reset my password in response to this mess.

So, am I out my 3.0 BTC?

'Cuz I'm pretty poor right now, and ~50 bux would have been quite useful.

[Mr2001]

I've seen some other references to the "change password" feature not working in the days before the attack. Has there been any statement on what caused that? If the account database was stolen several days before the attack, could the hacker have broken it intentionally to make sure the passwords stayed valid?

[joepie91]

I don't know if I've lost anything, because I can no longer access my mybitcoin.com account. They have a notice up saying that if your user name and email were the same as one found in the MtGox leak they reset your password, and "We will send you a new one to your email address".

Haven't got it.

Ironically I had already reset my password in response to this mess.

So, am I out my 3.0 BTC?

'Cuz I'm pretty poor right now, and ~50 bux would have been quite useful.

Try contacting MyBitcoin about it from the email that is registered to your account.

[LittleGnome]

I don't know if I've lost anything, because I can no longer access my mybitcoin.com account. They have a notice up saying that if your user name and email were the same as one found in the MtGox leak they reset your password, and "We will send you a new one to your email address".

Haven't got it.

Ironically I had already reset my password in response to this mess.

So, am I out my 3.0 BTC?

'Cuz I'm pretty poor right now, and ~50 bux would have been quite useful.

Try contacting MyBitcoin about it from the email that is registered to your account.

They have no contact info on their site beyond snail mail.

[BrightAnarchist]

mybitcoin account hacked, lost all my coins, a LOT of them

this is the direct result of the mtgox hack/leak

[KMBTC11]

Just read that they've pushed back to reopening again.  Now there's no deadline just a 'reopening soon' message.  I was just beginning to test out BCs and only had a few but it would be nice to get into my account and change my word.

[bitcoin.monger]

Thank you all for the info!

Please keep posting the details if you were hacked.
Bitcoin transactions can be tracked since one cannot send bitcoins from a different address than the address used to receive them.

What if we would build a database with all the addresses to which stolen bitcoins were transferred, and not accept transactions from these addresses?

A community-driven www.bitcoincop.com?

If none of us would accept transactions with "tainted" addresses in the chain, stealing coins would become pointless.

[joepie91]

Thank you all for the info!

Please keep posting the details if you were hacked.
Bitcoin transactions can be tracked since one cannot send bitcoins from a different address than the address used to receive them.

What if we would build a database with all the addresses to which stolen bitcoins were transferred, and not accept transactions from these addresses?

A community-driven www.bitcoincop.com?

If none of us would accept transactions with "tainted" addresses in the chain, stealing coins would become pointless.

This has been suggested before, and not a good idea as it can never be voluntary.

If you make a 'voluntary' system of blacklisting coins, that means you indirectly force EVERYONE to adhere to that system, because otherwise you may accept coins that you cannot spend anywhere later.
Not to mention how coins get mixed up in exchanges etc.

[Jat1668]

I've yet to learn how much I've lost. If total..$20.00 not a whole lot.

[iBug]

The Mt.Gox Account recovery service has now started, please go to
https://claim.mtgox.com
and enter as many data (bank name of deposits or withdraws, last account balance, ...) as you have in order to claim your account.

And please, include lowercase and uppercase letters as well as some numbers and symbols.
And just to make sure, make it 15-20 characters long.

[mahun]

The Mt.Gox Account recovery service has now started, please go to
https://claim.mtgox.com
and enter as many data (bank name of deposits or withdraws, last account balance, ...) as you have in order to claim your account.

And please, include lowercase and uppercase letters as well as some numbers and symbols.
And just to make sure, make it 15-20 characters long.

Heh... Here is what I got - The password for this account is invalid, or this account is not currently under claim process.

Password is 101% valid (well, at least it exact to one I used to register). So here it go - mtgox.com just trying to scam people away to cover their asses.

[TheMummy]

I am too. The password for this account is invalid, or this account is not currently under claim process. 

[iBug]

I am too. The password for this account is invalid, or this account is not currently under claim process. 

Sorry to read this, all I can tell is that it worked for me.
Maybe you want to try it once again, as there's always the possibility of entering the wrong password.

Anyway, this message isn't something unusual, a lot of users are getting that error.
The problem is known and Mark Karpeles is working on it. (http://forum.bitcoin.org/index.php?topic=20653.msg258264#msg258264)
Just try again in a few hours.

And don't worry, trades won't resume until most of the users have claimed their accounts, which probably will take some days. I'm not even sure if Mt. Gox is going to be fully operating before the end of this week.

[MBH]

Hello people,

I have about $900 invested in MtGox and although I panicked at first, following MtGox's updated page shows that they're really working hard on recovering everything and making sure their systems are up & running.

According to their page: https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback
they got compromised because of an auditor who had read-only access to their DB and his machine was infected. So the site itself wasn't hacked.

I just filed the claim process and all went well without errors. If you are getting errors, then consider putting a wrong password then put in as much info as you can for them to give your claim credit over other claims on your account. They're allowing multiple claims per account for that specific reason: In case someone changed your password before they took the site offline.

You can provide last used funds, transactions, documents and many other things.

Seeing how MtGox has been handling this and the amount of hard work they've put into it, I'm staying with them. Going to another exchange doesn't automagically solve the problem & their infrastructure might be even less secure, putting you at risk AGAIN!

I'm not promoting for MtGox. I simply appreciate the hard work put into recovering from this hellish situation.

[pjce]

Thanks for the info. I made a claim at MtGox, don't know yet how much I lost.

[Big Time Coin]

Sill, it is taking an UNBELIEVABLY long time to fix this problem.

Mr. "MagicalTux" should have hired some more people or brought some talented executive into his organization before this point to be able to restore confidence.  Some kind of announcement like "we are bringing in this experienced, talented financial service expert/executive to help run our exchange because we have realized we can't do it right."

He clearly doesn't have what it takes to run the #1 exchange for a $100 million plus market cap currency.  Something like this security breach should have been resolved in HOURS, NOT DAYS.  This is a major unforgiveable failure and all you posters seeing it any other way must have ZERO experience in dealing with stocks, bonds, currency, and other exchanges/financial services companies.  Imagine if a sovereign nation's currency exchange went down for a week.  Or you bank sent you an e-mail saying "someone got $1000 taken from their online banking account, so no one can withdraw or deposit money until next week".  Amateur, unforgivable bullshit.  No excuses, Tux needs to get professional help.  I rest my case.

[Mr2001]

I am too. The password for this account is invalid, or this account is not currently under claim process. 

Same here. My account was compromised before mtgox shut down (password changed and email erased), were yours too?

[MBH]

Sill, it is taking an UNBELIEVABLY long time to fix this problem.

Mr. "MagicalTux" should have hired some more people or brought some talented executive into his organization before this point to be able to restore confidence.  Some kind of announcement like "we are bringing in this experienced, talented financial service expert/executive to help run our exchange because we have realized we can't do it right."

He clearly doesn't have what it takes to run the #1 exchange for a $100 million plus market cap currency.  Something like this security breach should have been resolved in HOURS, NOT DAYS.  This is a major unforgiveable failure and all you posters seeing it any other way must have ZERO experience in dealing with stocks, bonds, currency, and other exchanges/financial services companies.  Imagine if a sovereign nation's currency exchange went down for a week.  Or you bank sent you an e-mail saying "someone got $1000 taken from their online banking account, so no one can withdraw or deposit money until next week".  Amateur, unforgivable bullshit.  No excuses, Tux needs to get professional help.  I rest my case.

I was involved in a few Disaster Recovery (DR) situations for customers before and I know the amount of pressure admins and businesses are put under during that time. Believe me, in such cases, the last thing you want is for the business/admins to waste their time looking for PR rather than work non-stop on recovering the systems to a secure state. The fact that MagicalTux isn't around means that he's busy with the admins getting things together.

They keep updating their blog post and that's good enough for such situations. This is similar to how Amazon handles its EC2 cloud services when there disruptions: update every now & then while focusing on recovering the systems.

[Technopope]

Sill, it is taking an UNBELIEVABLY long time to fix this problem.

...

He clearly doesn't have what it takes to run the #1 exchange for a $100 million plus market cap currency.  Something like this security breach should have been resolved in HOURS, NOT DAYS.

Resolved in hours? You mean like the Sony Playstation Network hack? 

The fact that it hasn't been resolved in hours is a positive thing. We really don't want a *quick* fix for this situation, we want a *secure* fix. The MtGox system was was hacked, with funds and secure data stolen. Over 61,000 users have had their email and password publicly posted on the internet. While those passwords are encrypted, they are certainly breakable given some time.

Every user will need to have his account validated and a new password assigned before being able to access that account, with 61,000 users, that will take some time.

You also seem to be confusing MtGox with a real financial institution. It is not. MtGox started out as "Magic The Gathering Online eXchange", trading online game items. It has no backing (much like BitCoin itself) and no official guarantees (again, like BitCoin). I'm sure "he" is doing the best he can given the situation, it looks like every effort is being made to get us back to our accounts and back to business.

[snorbit]

I completed the claim process process earlier and I was told "Your account recovery request is pending review by our staff."

I wonder how long that will take?

[Blinken]

What does MagicalTux say about this?

Uh, what does he say? Here are some possibilities:

"thanks for the money"

"hasta la vista"

"in japan the hand can be used like a knife"

"please fill out the 6-page reimbursement form on page 32A of our user agreement and email it to /dev/null"

"anybody know good vacation spots?"

"i have been learning parasailing"

"want to see my new Boxster? it's red!"

"Je ne parle qu'un le francais"

"the Japanese legal system is fascinating"

"i am accepting a new position as chief financial advisor to President Mugabe"

[BITCOINCANADA]

thanks for posting this information

[holgero]

The password for this account is invalid, or this account is not currently under claim process. 

Same here. Whats that supposed to mean? Has the claim site been hacked?

[hiponion]

arghh would be funny...but not really in the mood to laugh right now

[Mr2001]

The password for this account is invalid, or this account is not currently under claim process. 

Same here. Whats that supposed to mean? Has the claim site been hacked?

The form now has a check box to say you forgot your password. I was finally able to submit a claim after checking that box. I guess I was getting the message because someone changed my password.

[stubeans]

And now?
I personally think it's a good idea to collect as much data on what happened as possible. Please report in if you got hit as well, and answer the following questions:
* How much funds did you lose?
* To what address were your stolen funds sent?
* What OS are you using (Windows, Linux, Mac OSX ...)?
* How long was your old password?
* Was your old password random?
* Was your username the same on Mt. Gox as on the forum?
* Did you use your Mt. Gox password somewhere else?
* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
* Please also include a screenshot if possible so we know it's a real report.

let's think this out. if you are someone with access to the Mt. Gox data, including usernames and password hashes, wouldn't the bolded information be particularly useful for said individuals to bruteforce crack and abuse? there is zero reason why anyone would need to disclose this type of information on a public forum, and even less reason why anybody would ask of this type of data. why do you ask for specific data on the length of passwords, whether they were random, the character types contained, and whether their username is the same on here as on Mt. Gox?

furthermore, the request for OS type, bitcoin software and a screenshot of their account info? are you looking for direct targets to hack?

this, to me at least, screams of someone trying to social engineer more lulz and/or theft from data in their possession.

[stubeans]

for added info on JoePie91 - https://twitter.com/#!/TeaMp0isoN_

and there are allegations that lulzsec is behind the Mt. Gox hack. consider that info, then consider how unusual the initial post is.

[joepie91]

And now?
I personally think it's a good idea to collect as much data on what happened as possible. Please report in if you got hit as well, and answer the following questions:
* How much funds did you lose?
* To what address were your stolen funds sent?
* What OS are you using (Windows, Linux, Mac OSX ...)?
* How long was your old password?
* Was your old password random?
* Was your username the same on Mt. Gox as on the forum?
* Did you use your Mt. Gox password somewhere else?
* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
* Please also include a screenshot if possible so we know it's a real report.

let's think this out. if you are someone with access to the Mt. Gox data, including usernames and password hashes, wouldn't the bolded information be particularly useful for said individuals to bruteforce crack and abuse? there is zero reason why anyone would need to disclose this type of information on a public forum, and even less reason why anybody would ask of this type of data. why do you ask for specific data on the length of passwords, whether they were random, the character types contained, and whether their username is the same on here as on Mt. Gox?

furthermore, the request for OS type, bitcoin software and a screenshot of their account info? are you looking for direct targets to hack?

this, to me at least, screams of someone trying to social engineer more lulz and/or theft from data in their possession.

for added info on JoePie91 - https://twitter.com/#!/TeaMp0isoN_

and there are allegations that lulzsec is behind the Mt. Gox hack. consider that info, then consider how unusual the initial post is.

Wow, you registered just to try and discredit me?

Let's start with the password information. First off, the very first thing that is recommended in the post is to change passwords, not reuse passwords and use a password with a different length. The reason I ask for this information is to find out what possible attack vectors were for compromised accounts. Second off, adding the questions about whether someone reused username or password elsewhere was on request of someone else (on IRC I believe).

Then the OS information. Yet again, this was to determine what attack vectors could have been used. If people using non-Windows systems, for example, got compromised as well, that would make a keylogger and/or other malware very unlikely.

Then on to the software. It's a bit sad I even have to explain this - obviously the question is whether the compromise may be due to Bitcoin-related software that someone has been running, that may have had malware attached to it.

Then the screenshot. The very line about the screenshot says it all. If you would have been involved in the community here even a bit (instead of registering a new account after Googling joepie91 or however you may have ended up here), you would have known that there were already several reports when this thread was made, and that their validity was disputed (was it a ploy by Tradehill? Or another exchange? Or was it people trying to discredit Bitcoin? etc etc). So obviously the next question is a screenshot to prove that it happened. Seeing as a screenshot does not have to contain anything besides the record of it being transfered away, this is not a problem privacy- or security-wise. It cannot even be used to track it back to other addresses from the same person, as coins going through Mt. Gox get mangled up.

Then the "looking for direct targets to hack" claim. I am a programmer / webdev, and not a cracker (which is the correct term for what you are talking about). My greatest "cracking" achievement to date is finding a vulnerability in Mt. Gox that makes use of a combination of two known techniques to compromise accounts with passwords with less than 6 characters (a vulnerability that I have, after days, STILL not received a response about from MagicalTux). I have absolutely no fucking clue whatsoever how to SQLi a site in such a way that I can actually do something - my knowledge ends at ' OR 1=1.

Then the most retarded claim of all - Lulzsec. First of all the allegations that I am a part of Lulzsec are complete bullshit, and so far all of these allegations originate from the same source - a "leaked" IRC log that was claimed to be from a Lulzsec channel. The only problem is that it wasn't a Lulzsec channel. Since then media, blogs and Twitter users, have been parrotting these allegations without any kind of actual proof - except for an IRC log that was not from the place it was claimed to be from.

Second off, there can be a million allegations of Lulzsec "being behind the Mt. Gox hack" - however, not only is that highly improbable (why would they fuck around with something they like and actively use?), but also is there absolutely zero proof whatsoever that that is the case. Innocent until proven guilty and all that.


Now consider the postcount of said user stubeans, consider his signup date, consider his countless allegations without any facts to support it (except for other alleged 'facts' that were themselves never proven), consider his hostile attitude, consider how he blindly copies the two capital letters in my nickname from a Twitter feed despite me not using any capital letters anywhere (indicating he has no idea who I actually am, and has never seen me anywhere before).

And now consider how unusual and full of bullshit said user is.


Seriously, go back to your troll cave.

[stubeans]

Then the most retarded claim of all - Lulzsec. First of all the allegations that I am a part of Lulzsec are complete bullshit, and so far all of these allegations originate from the same source - a "leaked" IRC log that was claimed to be from a Lulzsec channel. The only problem is that it wasn't a Lulzsec channel. Since then media, blogs and Twitter users, have been parrotting these allegations without any kind of actual proof - except for an IRC log that was not from the place it was claimed to be from.

http://www.pastebin.com/QZXBCBYt

let's check the list -

topiary - check
sabu - check
Joepie - check

Jun 03 21:04:01 <tflow> http://pastebin.com/kixK4rfu
Jun 03 21:04:13 <tflow> blackhat seo, trying to capitilize on lulzsec lol
Jun 03 21:04:21 <tflow> but how the fk did it get 18k views
Jun 03 21:06:47 <joepie91_laptop>       tflow
Jun 03 21:06:50 <joepie91_laptop>       proxy view increaser
Jun 03 21:06:53 <joepie91_laptop>       or similar tools
Jun 03 21:07:02 <joepie91_laptop>       http://www.sven-slootweg.nl/downloads
Jun 03 21:07:05 <joepie91_laptop>       I have a really crappy one
Jun 03 21:07:09 <joepie91_laptop>       that I made for someone a long time ago

hope you are having a good morning! the log is quite entertaining.

[joepie91]

Then the most retarded claim of all - Lulzsec. First of all the allegations that I am a part of Lulzsec are complete bullshit, and so far all of these allegations originate from the same source - a "leaked" IRC log that was claimed to be from a Lulzsec channel. The only problem is that it wasn't a Lulzsec channel. Since then media, blogs and Twitter users, have been parrotting these allegations without any kind of actual proof - except for an IRC log that was not from the place it was claimed to be from.

http://www.pastebin.com/QZXBCBYt

let's check the list -

topiary - check
sabu - check
Joepie - check

Jun 03 21:04:01 <tflow> http://pastebin.com/kixK4rfu
Jun 03 21:04:13 <tflow> blackhat seo, trying to capitilize on lulzsec lol
Jun 03 21:04:21 <tflow> but how the fk did it get 18k views
Jun 03 21:06:47 <joepie91_laptop>       tflow
Jun 03 21:06:50 <joepie91_laptop>       proxy view increaser
Jun 03 21:06:53 <joepie91_laptop>       or similar tools
Jun 03 21:07:02 <joepie91_laptop>       http://www.sven-slootweg.nl/downloads
Jun 03 21:07:05 <joepie91_laptop>       I have a really crappy one
Jun 03 21:07:09 <joepie91_laptop>       that I made for someone a long time ago

hope you are having a good morning! the log is quite entertaining.

and so far all of these allegations originate from the same source - a "leaked" IRC log that was claimed to be from a Lulzsec channel. The only problem is that it wasn't a Lulzsec channel.

[stubeans]

and so far all of these allegations originate from the same source - a "leaked" IRC log that was claimed to be from a Lulzsec channel. The only problem is that it wasn't a Lulzsec channel.

which refutes what, exactly? the entire chat log repeats the need for secrecy, as well as trusting no one outside the group of (privileged) individuals chatting in that room. connecting the dots is easy, and if a simpleton like me can follow the trail i'm sure others can too.

clearly, you're a smart man. you glanced at my post count and correctly guessed that i registered in order to warn fellow bitcoin users to be mindful of those trying to 'help,' all the while requesting or SEing information that could compromise their online accounts. the info you requested in your OP is so blatantly fishing for information that i thought it'd be wise to highlight that. seriously - asking if a compromised account contained passwords constituted of random characters and/or numbers, its length and Mt. Gox username? how bold!

capt. stu is out and should get some rest. shouldn't you, Joepie? the sun should be rising in a little bit for you too!

[joepie91]

and so far all of these allegations originate from the same source - a "leaked" IRC log that was claimed to be from a Lulzsec channel. The only problem is that it wasn't a Lulzsec channel.

which refutes what, exactly? the entire chat log repeats the need for secrecy, as well as trusting no one outside the group of (privileged) individuals chatting in that room. connecting the dots is easy, and if a simpleton like me can follow the trail i'm sure others can too.

Because every (semi-)private channel on the internet is Lulzsec.

clearly, you're a smart man. you glanced at my post count and correctly guessed that i registered in order to warn fellow bitcoin users to be mindful of those trying to 'help,' all the while requesting or SEing information that could compromise their online accounts.

Because I totally did not encourage users to change their passwords to something stronger and completely unlike their current password.

the info you requested in your OP is so blatantly fishing for information that i thought it'd be wise to highlight that. seriously - asking if a compromised account contained passwords constituted of random characters and/or numbers, its length and Mt. Gox username? how bold!

Because I am totally a completely evil person whose only mission in life is to gather statistics on passwords that are not used anymore, to throw them into my magical hat and magically get all new passwords and usernames of everyone in the universe!

capt. stu is out and should get some rest. shouldn't you, Joepie? the sun should be rising in a little bit for you too!

Because trying to spread fear has worked the past few times something like this happened.

But noooo, you are here as a good saint to warn others about how evil I am, rather than trying to discredit me like several others are actively trying everywhere else.

Go do something constructive instead of accusing people of things they have no involvement with.

[stubeans]

Because every (semi-)private channel on the internet is Lulzsec.

and how did you get in that channel to begin with? why do you appear so close to lulzsec members such that you're allowed to freely enter and chat as old friends? with your litany of VPN logins? why so many VPN logins, anyhow? guilty by association? probably? moo? i like question marks?

Because I totally did not encourage users to change their passwords to something stronger and completely unlike their current password.

You pretend to be a friend, then exploit the info you gather. Isn't that what SE and intel gathering in general is all about?

Because I am totally a completely evil person whose only mission in life is to gather statistics on passwords that are not used anymore, to throw them into my magical hat and magically get all new passwords and usernames of everyone in the universe!

You may or may not be evil, but you do seem to associate with those online that have less than stellar characters. why?

Because trying to spread fear has worked the past few times something like this happened.

fear? i'm giving people food for thought. it's obvious that some here need that type of nourishment, no?

Go do something constructive instead of accusing people of things they have no involvement with.

considering that i'd otherwise be sleeping on a mattress of the highest quality, i think my time this morning has been quite productive!

[osborn_20]

Last 2 days I receive tons of email like this

Dear Mt.Gox user,

Our database has been compromised, including your email...

The joke about, I've never registered to Mt. Gox. Is Mt. Gox in colaboration with this forum? Or any officiel Bitcoin site?

If playing world of warcraft taught me anything is that you cant trust any link coming from an Email anymore.

Every email address can be faked, the only way to be sure is to read the headers.

Am starting to hate being paranoid to everything online .

Only way to find some rest is with linux.

[MrAnderson]

Now that mtgox closed their exchange, how can I tell if I got hacked?

I have read people mention that they checked the "dump" and found their info in it with their email changed (or not changed). Where is this dump?

EDIT: Google Mail just asked me to verify myself due to suspicious activity.  I did use the same 9 char. password as my email on mtgox.

I'm scared.

Yes, you are on the list, along with your gmail address, number 3419 out of 61,016 users listed at MtGox.

Understand that the passwords are not directly readable, and must be run through some fairly intense computational power to crack. Very similar to the way BitCoins are mined, actually. Takes a *long* time...

However, I had a 20 character password, using both letters and numbers, and exclusive to MtGox. Looks like my email address was changed in my account and I can't log into my account. I have to assume it lost.

Just change all your passwords that are similar and associated with that address.

Is this the 61k email logins leaked by Lulzsec?

[stubeans]

I consider myself a purveyor of only the finest newspapers throughout the land. So lo and behold when I launch the Guardian today and see this article on my iPad - http://www.guardian.co.uk/technology/2011/jun/21/lulzsec-hacker-group-who-belongs

The group is small – less than 10 or so. (This is confirmed separately by security researcher Rik Ferguson of Trend Micro, who comments that "it seems to be a tight-knit group – it only needs to be a few people, since all they need is a Twitter account and a web page. There's no evidence that they're a particularly sophisticated group.)

The members, according to Imperva:

• "Sabu" – HBgary hacker. Seems to be the leader.

• "Nakomis" – Coder, rumoured to be one of coders of the PHPBB bulletin board.

• "Topiary" – handles finance, such as donations and payment for services (eg botnets)

• "Tflow" – Hacker. (Rumoured.)

• "Kayla" – Hacker. Owns a big botnet.

• "Joepie91" – Website admin.

• "Avunit" - No more detail.

From hacker discussion forums, it seems they might get arrested as soon as many "real world" details on their identities get revealed, suggests Tal Be'ery.

I'm outraged they capitalized Joepie's handle, when clearly it isn't. This will be resolved, I swear!

[jeanjean]

Ahah so it seems that after having my www.mybitcoin.com harvested from 0.5 BTC, I fell for social engineering from joepie91... O_o

Thanks stubeans. Great investigation !

[Octavian]

Thank you for sharing this information.

As I myself thought previously it's a spin-off of Anonymous collective,
this idea is affirmed, alas still no proof.

[joepie91]

Because every (semi-)private channel on the internet is Lulzsec.

and how did you get in that channel to begin with? why do you appear so close to lulzsec members such that you're allowed to freely enter and chat as old friends?

Because I was invited to that channel by a few friends, as is usually the case when someone gets into a "private" channel.

with your litany of VPN logins? why so many VPN logins, anyhow? guilty by association? probably? moo? i like question marks?

VPN logins? I have only used two VPNs, to avoid my connection getting (D)DoSed to shit every time I connect to an IRC network that doesn't offer masking.

Because I totally did not encourage users to change their passwords to something stronger and completely unlike their current password.

You pretend to be a friend, then exploit the info you gather. Isn't that what SE and intel gathering in general is all about?

How can I possibly exploit that information?

Because I am totally a completely evil person whose only mission in life is to gather statistics on passwords that are not used anymore, to throw them into my magical hat and magically get all new passwords and usernames of everyone in the universe!

You may or may not be evil, but you do seem to associate with those online that have less than stellar characters. why?

Because that's life? People I know (from Anonymous) just happened to be involved with Lulzsec, that is not something I have control over.

Because trying to spread fear has worked the past few times something like this happened.

fear? i'm giving people food for thought. it's obvious that some here need that type of nourishment, no?

You are doing the exact same thing that people like @fakegregghoush have been doing for the past few months - making remarks implying you know more about me than other people do, trying to scare me off. It's getting old.

I consider myself a purveyor of only the finest newspapers throughout the land. So lo and behold when I launch the Guardian today and see this article on my iPad - http://www.guardian.co.uk/technology/2011/jun/21/lulzsec-hacker-group-who-belongs

The group is small – less than 10 or so. (This is confirmed separately by security researcher Rik Ferguson of Trend Micro, who comments that "it seems to be a tight-knit group – it only needs to be a few people, since all they need is a Twitter account and a web page. There's no evidence that they're a particularly sophisticated group.)

The members, according to Imperva:

• "Sabu" – HBgary hacker. Seems to be the leader.

• "Nakomis" – Coder, rumoured to be one of coders of the PHPBB bulletin board.

• "Topiary" – handles finance, such as donations and payment for services (eg botnets)

• "Tflow" – Hacker. (Rumoured.)

• "Kayla" – Hacker. Owns a big botnet.

• "Joepie91" – Website admin.

• "Avunit" - No more detail.

From hacker discussion forums, it seems they might get arrested as soon as many "real world" details on their identities get revealed, suggests Tal Be'ery.

I'm outraged they capitalized Joepie's handle, when clearly it isn't. This will be resolved, I swear!

And surprise surprise! The Guardian article is based on the Imperva article, which in turn is based on the same leaked IRC logs that were claimed to be from Lulzsec but were not.

I suggest you actually respond to some of the things I said before, instead of throwing allegation after allegation.

[stubeans]

http://blog.imperva.com/2011/06/lulzsec-profile-who-are-they.html

doesn't seem like Imperva is using that log at all? is it SOP to obfuscate the allegations by claiming they all come from a single discredited source?

Joepie is a current member of Anonymous, and operates a number of websites used by the group.  He feels he is operating legally in his participation in the group, as long as he is only offering material support.  Logs show him to be a full participant with access to private irc rooms, but he appears to feel he is committing no crimes as long as he personally abstains from accessing websites, a position he also took during the HBGary intrusion.
Joepie is a bitcoin supporter/enthusiast, and seems to have encouraged its use by the group.

the profile written about you seems to fit you to a T. you don't deny the veracity of the logs, nor being an active member of the(se) chat room(s), nor having them as your friends. but the tone of the conversation indicates you're there for a slightly higher purpose than mere socialization. i haven't a clue as to whether you're the webmaster/designer, but if that's the depth of your work for Lulzsec then congratulations, i suppose? Bin Laden's driver was given 66 months in Guantanamo, a miscarriage of justice that I hope doesn't befall you.

for everyone reading this - accept my apology on how i've mislead you. it's obvious you should trust an individual with links to hacker groups asking publicly for the composition of your old passwords and whether they were reused on other sites with the same user name.

[joepie91]

http://blog.imperva.com/2011/06/lulzsec-profile-who-are-they.html

doesn't seem like Imperva is using that log at all? is it SOP to obfuscate the allegations by claiming they all come from a single discredited source?

Joepie is a current member of Anonymous, and operates a number of websites used by the group.  He feels he is operating legally in his participation in the group, as long as he is only offering material support.  Logs show him to be a full participant with access to private irc rooms, but he appears to feel he is committing no crimes as long as he personally abstains from accessing websites, a position he also took during the HBGary intrusion.
Joepie is a bitcoin supporter/enthusiast, and seems to have encouraged its use by the group.

the profile written about you seems to fit you to a T. you don't deny the veracity of the logs, nor being an active member of the(se) chat room(s), nor having them as your friends. but the tone of the conversation indicates you're there for a slightly higher purpose than mere socialization. i haven't a clue as to whether you're the webmaster/designer, but if that's the depth of your work for Lulzsec then congratulations, i suppose? Bin Laden's driver was given 66 months in Guantanamo, a miscarriage of justice that I hope doesn't befall you.

for everyone reading this - accept my apology on how i've mislead you. it's obvious you should trust an individual with links to hacker groups asking publicly for the composition of your old passwords and whether they were reused on other sites with the same user name.

http://blog.imperva.com/2011/06/lulzsec-profile-who-are-they.html
Based on http://lulzsecexposed.blogspot.com (which has some juicy false assumptions mixed in)
Which was in turn based on the already mentioned http://pastebin.com/QZXBCBYt

[HappyFunnyFoo]

Anyone that continues to do business on the MtGox exchange after this debacle is both totally nuts and totally stupid.  For that matter, anyone doing business on ANY of the bitcoin exchanges is nuts and stupid.  Get what little assets you had in the account out and run asap...

[Nagle]

Anyone that continues to do business on the MtGox exchange after this debacle is both totally nuts and totally stupid.  For that matter, anyone doing business on ANY of the bitcoin exchanges is nuts and stupid.  Get what little assets you had in the account out and run asap...

I'd agree that keeping funds on any of the Bitcoin exchanges is foolish. The problem with Mt. Gox, and some of the other exchanges, is that they're not just an exchange.  They're banks, too. They hold customer funds as deposits.

None of the major Bitcoin "exchanges" is solid enough as an institution to act as a bank. They're not even at the level of some small-town independent bank in terms of organization, security, regulation, or financial strength. Mt. Gox, before the crash, was handling more money than some small town banks. But they had only two people, and no clue about security of a financial institution. Real banks and exchanges have insurance bonds on their employees, errors and omissions insurance, and real auditors. Not these guys.

If you use an exchange, sweep all your funds out of it at least once a day.

[BitterTea]

The problem with Mt. Gox, and some of the other exchanges, is that they're not just an exchange.  They're banks, too. They hold customer funds as deposits.

What is commonly considered a bank today is more strictly defined as a commercial bank: "A commercial bank accepts deposits and pools those funds to provide credit, either directly by lending, or indirectly by investing through the capital markets."

So, MtGox and the other exchanges are not banks in the same sense as Bank of America or even your local credit unions.

[Nagle]

So, MtGox and the other exchanges are not banks in the same sense as Bank of America or even your local credit unions.

In a strict sense, they're "non-bank depository institutions". But I felt that was too advanced a term for this forum.

For background on that subject, see this paper from the Kansas City Fed: "Recent developments at banks and nonbank depository institutions". That was written in 1983, near the beginning of US financial deregulation, as the types of financial institutions started to proliferate. It used to be that the same institutions accepted deposits and made retail loans. The job can be split, though, with one institution accepting deposits and another making loans. Non-bank depository institutions have to put their money somewhere, and if they put it in a bank, they are lending it to the bank. 

Bank regulation exists to protect depositor's funds.  Generally, banking regulation is applied to depository institutions, regardless of whether they make loans. On the other hand, businesses which lend their own money but do not hold deposits (like payday-loan companies) are not regulated as banks.

So an "exchange" like Mt. Gox would be subject to banking regulation in some jurisdictions. PayPal is regulated as a bank in the European Union, and as a money transfer service in the US and Japan. As of April 1, 2010, money transfer services in Japan must be licensed. Does Mt. Gox have a license?

[mahun]

Does it registered in Japan at all =)) It could be pure virtual company which will disappear at some point.

[TigolBitteez]

How can anyone even know at the moment. This is some Newb Garbage.

[Big Time Coin]

Anyone that continues to do business on the MtGox exchange after this debacle is both totally nuts and totally stupid.  For that matter, anyone doing business on ANY of the bitcoin exchanges is nuts and stupid.  Get what little assets you had in the account out and run asap...

I'd agree that keeping funds on any of the Bitcoin exchanges is foolish. The problem with Mt. Gox, and some of the other exchanges, is that they're not just an exchange.  They're banks, too. They hold customer funds as deposits.

None of the major Bitcoin "exchanges" is solid enough as an institution to act as a bank. They're not even at the level of some small-town independent bank in terms of organization, security, regulation, or financial strength. Mt. Gox, before the crash, was handling more money than some small town banks. But they had only two people, and no clue about security of a financial institution. Real banks and exchanges have insurance bonds on their employees, errors and omissions insurance, and real auditors. Not these guys.

If you use an exchange, sweep all your funds out of it at least once a day.

qft

[Joise]

Mt Gox and other Bitcoin markets ought to enable and encourage the use of some form of multi-factor authentication.  I use a Yubikey in conjunction with my Lastpass account (Lastpass generates very strong, unique passwords for every site so I'm not concerned about my Mt Gox password providing access to anything else), and it's a fantastic and open source authentication system.  Since Bitcoin is growing exponentially in usage and legitimacy, trading services should be growing with it and hardening their systems both on the code side, and on the user interaction side.  Many banks offer or require multi-factor authentication, why shouldn't Bitcoin services?

I still think that a scheme based on GnuPG, smart card and mTAN would be pretty secure and accessible.

It would work that way: When creating an account one would generate a GnuPG key pair. One would enter the public key together with user name and password at the trading site.

This key can now be used to verify re-authentication in case of a lost password, and this would be MUCH safer than re-authentication by e-mail. It can also be used to certify certain critical transactions. This can be done the way that the trading site generates a authentication token, mails it to the user, and he has to sign it with is private key and return it. Alternatively, the offered token can be displayed in a web form and the user replaces it by the signed token.

One important point is that this authentication can be used to set up a cell phone number for an mTAN scheme (mobile transaction authentication number). With this, when a transaction is done, the system sends a number to the phone which contains the important items of the transaction and an alphanumerical code. The transaction is accepted only when the code is entered in the web page. This is not a perfect system, but works very effectively against key loggers, and it is widely used in many countries.

Among the good things about GnuPG is that it is available on most operation systems (even the ones you shouldn't use) and that it can be used with a smart card. In this case, the private key is moved to the smart card and can't be read from there again. Processing of signatures is done on the smart card itself when one enters a PIN. Thus, it is not possible to steal the private key any more. This type of smart cards is available from many places, see here:

http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/
http://www.gnupg.org/howtos/card-howto/en/ch02s02.html

The device from privacy fundation is an open source project, which means enhanced transparency and security against governmental backdoors.

With the scheme described, you need your account password, and your phone to make an transaction. You need your smart card, your mail account password OR your account password and your smart card PIN to change the account password or the phone number.

There are certainly other solutions (Yubikey and SSL client certificates with hardware tokens have been named, and I don't know them well enough to discuss them) but I believe this one is a cost-effective and safe variant. I think that at least two-factor authentication is a must, otherwise stealing of coins becomes so easy that a real and widespread theft business will emerge within months.

And for the same reason, I think, it should not be charged for at all. This is just fulfilling basic requirements.

And of course, mTAN can be hacked, if someone gets a SIM card for my number. But that's considerably more difficult than keylogging.

[joepie91]

Mt Gox and other Bitcoin markets ought to enable and encourage the use of some form of multi-factor authentication.  I use a Yubikey in conjunction with my Lastpass account (Lastpass generates very strong, unique passwords for every site so I'm not concerned about my Mt Gox password providing access to anything else), and it's a fantastic and open source authentication system.  Since Bitcoin is growing exponentially in usage and legitimacy, trading services should be growing with it and hardening their systems both on the code side, and on the user interaction side.  Many banks offer or require multi-factor authentication, why shouldn't Bitcoin services?

I still think that a scheme based on GnuPG, smart card and mTAN would be pretty secure and accessible.

It would work that way: When creating an account one would generate a GnuPG key pair. One would enter the public key together with user name and password at the trading site.

This key can now be used to verify re-authentication in case of a lost password, and this would be MUCH safer than re-authentication by e-mail. It can also be used to certify certain critical transactions. This can be done the way that the trading site generates a authentication token, mails it to the user, and he has to sign it with is private key and return it. Alternatively, the offered token can be displayed in a web form and the user replaces it by the signed token.

One important point is that this authentication can be used to set up a cell phone number for an mTAN scheme (mobile transaction authentication number). With this, when a transaction is done, the system sends a number to the phone which contains the important items of the transaction and an alphanumerical code. The transaction is accepted only when the code is entered in the web page. This is not a perfect system, but works very effectively against key loggers, and it is widely used in many countries.

Among the good things about GnuPG is that it is available on most operation systems (even the ones you shouldn't use) and that it can be used with a smart card. In this case, the private key is moved to the smart card and can't be read from there again. Processing of signatures is done on the smart card itself when one enters a PIN. Thus, it is not possible to steal the private key any more. This type of smart cards is available from many places, see here:

http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/
http://www.gnupg.org/howtos/card-howto/en/ch02s02.html

The device from privacy fundation is an open source project, which means enhanced transparency and security against governmental backdoors.

With the scheme described, you need your account password, and your phone to make an transaction. You need your smart card, your mail account password OR your account password and your smart card PIN to change the account password or the phone number.

There are certainly other solutions (Yubikey and SSL client certificates with hardware tokens have been named, and I don't know them well enough to discuss them) but I believe this one is a cost-effective and safe variant. I think that at least two-factor authentication is a must, otherwise stealing of coins becomes so easy that a real and widespread theft business will emerge within months weeks.

And for the same reason, I think, it should not be charged for at all. This is just fulfilling basic requirements.

And of course, mTAN can be hacked, if someone gets a SIM card for my number. But that's considerably more difficult than keylogging.

Fixed it for you.

Anyway, that is a VERY good suggestion, the only important thing to take care of, is making sure that it is all very userfriendly. Users should never have to ask themselves "what do I do now?", or there will be issues with the system (and that may scare people away, towards less secure systems).

[kabo]

* How much funds did you lose?
30.53 BTC
* To what address were your stolen funds sent?
1HQBh6QHduRHgLr9kCx5jd9qpJw7e7LUAD
* What OS are you using (Windows, Linux, Mac OSX ...)?
Mac OS X 10.6.7, Safari
* How long was your old password?
10 chars
* Was your old password random?
nope
* Was your username the same on Mt. Gox as on the forum?
yup
* Did you use your Mt. Gox password somewhere else?
yup, but not anymore
* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
nope, just smallcaps
* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
nope

I'm guessing I'm pretty much screwed here.

But I checked the mtgox logs here https://claim.mtgox.com/status.html

Code:

money withdrawn:
Thu 16 Jun 2011 06:04:15 AM GMT	out	1HQBh6QHduRHgLr9kCx5jd9qpJw7e7LUAD	30.53000000 ฿TC

06:45:15 a.m. Thursday June 16, 2011 in GMT converts to 03:45:15 p.m. Thursday June 16, 2011 in JST

Logins by IP-addresses that are not mine:
MTGOX_LOGIN	Successful login on Mt.Gox	Sat 18 Jun 2011 12:22:44 AM JST	184.105.220.24
MTGOX_LOGIN	Successful login on Mt.Gox	Thu 16 Jun 2011 03:03:51 PM JST	213.112.199.142 <-- likely logged on and withdrew money
MTGOX_LOGIN	Successful login on Mt.Gox	Thu 16 Jun 2011 01:14:03 PM JST	76.10.214.89
MTGOX_LOGIN	Successful login on Mt.Gox	Wed 15 Jun 2011 06:38:29 PM JST	46.166.129.61

The IP 213.112.199.142 seems to reside in Sweden and doesn't seem to run TOR. It could be part of a bot-net though.

[Visa]

I see a class action against Mt Gox is in order