If your Mt. Gox account has been compromised, PLEASE READ.

[joepie91]

sht this looks bad. This is could diminish the trust on the system on the long run.

Maybe at this point we need security companies getting involved in bitcoins security and banking. A lot of people wouldn't mind paying extra, knowing that their account is not gonna get hacked, or somebody is gonna rob their computer and lose everything.

Also doesn't anybody think is suspicious that all this attacks are happening at the same time?.

Bitcoin has had a lot of attention lately. Of course there will be attacks from every side. People who just want to earn a buck from it in less elegant ways, and people who want to see Bitcoin vanish off the earth.

I will list some of the found (potential) attack vectors here and their relation to my own account (I can only speak for myself):

* CSRF vulnerability - not applicable to my account, the BTC were transfered at a time I could not access Mt. Gox at all, let alone be logged in.
* CSS history vulnerability - not applicable to my account, unfeasible for non-dictionary passwords over 6 characters (mine was randomized 20)
* Android app - not applicable to my account, I do not have an Android phone nor have I ever touched the app, I have also never entered my Mt. Gox details anywhere but on Mt. Gox itself
* Malware/keylogger/etc - almost certainly not applicable to my account, I turned my entire computer upside down with manual analysis (something I already do regularly) and haven't been able to find anything
* Distributed bruteforce (using a botnet) - possibly applicable to my account, but unlikely due to password length... it IS a possibility however, with a large enough botnet it's feasible.

Now the question is, what is the cause for my account (and potentially others)? I believe there's a mix of different attacks being used here.

The message from mtgox makes it sound like some type of XSS.

How exactly would an XSS work in this case? I have never followed any links to Mt. Gox from external sites, and my account was broken into at a point where I couldn't even access Mt. Gox (probably due to the DDoS attacks).

[1714783296]

1714783296

[1714783296]

1714783296

[1714783296]

1714783296

[1714783296]

1714783296

[Grant]

sht this looks bad. This is could diminish the trust on the system on the long run.

Maybe at this point we need security companies getting involved in bitcoins security and banking. A lot of people wouldn't mind paying extra, knowing that their account is not gonna get hacked, or somebody is gonna rob their computer and lose everything.

Noshit it looks bad, it was enough to completely diminish my trust in the system, and i've been bitcoin enthusiast since december. Imagine how "attractive" this looks for someone who considers to invest. If this happened in december when i discovered bitcoin i'd certainly run far away from here.

We don't need "banking", there is no way to track funds to a person anyway (we can track the block explorer yes but that's it, it may be a thiefs account and it may be someone who pretends to be a victims 2nd wallet). What's needed is better security, until then i'm taking most of my bitcoin savings far away from bitcoin.

[joepie91]

sht this looks bad. This is could diminish the trust on the system on the long run.

Maybe at this point we need security companies getting involved in bitcoins security and banking. A lot of people wouldn't mind paying extra, knowing that their account is not gonna get hacked, or somebody is gonna rob their computer and lose everything.

Noshit it looks bad, it was enough to completely diminish my trust in the system, and i've been bitcoin enthusiast since december. Imagine how "attractive" this looks for someone who considers to invest. If this happened in december when i discovered bitcoin i'd certainly run far away from here.

We don't need "banking", there is no way to track funds to a person anyway (we can track the block explorer yes but that's it, it may be a thiefs account and it may be someone who pretends to be a victims 2nd wallet). What's needed is better security, until then i'm taking most of my bitcoin savings far away from bitcoin.

The issue is not with Bitcoin. It is perfectly possible for someone to set up a Bitcoin bank, that has insurance against theft etc, just like "conventional" banks. The issue here lies with Mt. Gox, which is only a single independent exchange. Bitcoin itself (as an idea and protocol) is technically sound. The only thing I am missing is wallet encryption in the client by default, but that can be overcome for now by storing a wallet on a machine that is not connected to the internet, using third-party encryption software.

Bitcoin is much like digital cash, with the difference that you can encrypt a Bitcoin wallet, while you can't encrypt an IRL wallet.

[alexanderanon]

Any reports of problems with TradeHill, anyone?

[joshuad31]

any newbie reading this please keep your bitcoins seperated in many individual places in case one of your locations is compromised

...and make sure no one else has access to the places you stored your files in.

Obviously this is the dawn of a new age of cypto currency but if they ever expect bitcoin to become mainstream and not just somebody's hobby shouldn't all these issues be addressed by the software programmers of bitcoin.  I mean do you really want to solve this problem?  Well its easy. Let me outline the steps:

1. The bitcoin software needs to encrypt the wallet file.  It read/writes to a wallet that always remains encrypted
2. If you really want bitcoin to go mainstream then it seems to me like incorporating a trading mechanism like mtgox directly into the software itself would seem wise.  That way you don't need to rely on an ewallet system which can be compromised every time you need to convert currency.

Till these two problems are solved how can anyone rely upon bitcoin as a reliable and secure means of currency?

~J

[mahun]

http://forum.bitcoin.org/index.php?topic=19221.0

in short:
did not reuse password.
did not use email during registration, instead wrote down login/password to keepass.
brand new mtgox.com account.
funded it with 50.56 and after 3-4 hours unable to login to site.
it could not be hacked from email, since email was not used during registration.
no trojans found and computer was offline.
did not visit any websites in between so recent CSRF issue did not affect me.

[JTaBitCoinKing]

Well that Dollor is no less doomed then the Bitcoin.

[neneko]

any newbie reading this please keep your bitcoins seperated in many individual places in case one of your locations is compromised

...and make sure no one else has access to the places you stored your files in.

Obviously this is the dawn of a new age of cypto currency but if they ever expect bitcoin to become mainstream and not just somebody's hobby shouldn't all these issues be addressed by the software programmers of bitcoin.  I mean do you really want to solve this problem?  Well its easy. Let me outline the steps:

1. The bitcoin software needs to encrypt the wallet file.  It read/writes to a wallet that always remains encrypted
2. If you really want bitcoin to go mainstream then it seems to me like incorporating a trading mechanism like mtgox directly into the software itself would seem wise.  That way you don't need to rely on an ewallet system which can be compromised every time you need to convert currency.

Till these two problems are solved how can anyone rely upon bitcoin as a reliable and secure means of currency?

~J

The first problem confuses me a little, mostly because these attacks had absolutely nothing to do with anyones wallet file.

The second is just a terrible suggestion and goes against the very basic principles of bitcoin and what it's supposed to be.

Safer banking solutions would be great and they will no doubt come when bitcoin grows bigger but for now just calm down a little and look at what actually happened. These attacks happened due to a site (mt. gox) having security flaws and the attacks only affected accounts at that site. They had nothing to do with how bitcoin works as a currency.

[TheMummy]

I can't login using my account. It was fine about an hour ago. My email has been changed as well so I can't get my password back.

My ticket: #1899

[Mr2001]

I can't login using my account. It was fine about an hour ago. My email has been changed as well so I can't get my password back.

My ticket: #1899

Same here. Ticket #1912. I can't log in, and password recovery says no email address is on file (but I believe I set one when I signed up).

I've been using a separate browser for mtgox, with no other pages open, ever since I heard about the CSRF exploit. I tried to change my password at that time too, but when I clicked "Change", the page flickered but nothing happened (on multiple browsers).

[fasthands]

Change your Mt. Gox password. Twenty charters in best, with both uppercase and lowercase letters along with a few numbers. No words from the dictonary!

[Mr2001]

Change your Mt. Gox password. Twenty charters in best, with both uppercase and lowercase letters along with a few numbers. No words from the dictonary!

Am I the only one who was unable to change passwords?

[mikef]

My account was locked today - not able to get in or recover password. Reading the forums, I was already hopeless. But finally mtgox support got back to me and reopened the account. I hear this is related to tracking stolen bitcoins.

So if you're in the same situation, not being able to log in (instead of malicious transactions), contact mtgox support.

[puppy1014]

My acc has been hacked and i lost 5 BTC the id and the pass don't match  no way i sure about my password. I use Avira and Zone Alarm latest so this  is't have any trojan or keylogger in my PC  . So i think mtgox steal my acc ?
my ticket # 1942 now i can't do anything with my account ( login , recover my pass i think someone changed it )

[joepie91]

Update: Mt. Gox was compromised, the database of users was released. I believe the thread here was removed, but many people will probably be able to verify it.

Change your passwords now.

^{I told you so}

[digimag]

Hey hey…

I believe people at MTGOX are little stupid kids.

Do not change your password.

Just delete your damn MT GOX account and go find a more trustworthy site.

I've just downloaded that CSV file with all the informations, I can't believe it.

Mt GOX IS NOT SECURE.

Mt Gox is a fucking security hole and you'd better get out of there quick.

For instance, try Trade Hill.

[digimag]

Update: Mt. Gox was compromised, the database of users was released. I believe the thread here was removed, but many people will probably be able to verify it.

Change your passwords now.

^{I told you so}

As I said, there is no use to change your password if it will be hacked again.

What just happened is just not serious. It's such a fucking joke I can't believe it.

I would recommend to get out of there and go somewhere else.

If those people can not secure their web server, they should be responsible for it and assume the consequences.

[tomfmason]

I like how the orginial thread was removed. Cover up or what?

weaksauce imo

[mvd7793]

Anyone tried 1Password? I've been looking at getting that.

[joepie91]

Update: Mt. Gox was compromised, the database of users was released. I believe the thread here was removed, but many people will probably be able to verify it.

Change your passwords now.

^{I told you so}

As I said, there is no use to change your password if it will be hacked again.

What just happened is just not serious. It's such a fucking joke I can't believe it.

I would recommend to get out of there and go somewhere else.

If those people can not secure their web server, they should be responsible for it and assume the consequences.

I was not just talking about Mt. Gox password, but passwords everywhere. Judging from the few passwords that were posted (cracked) on Pastebin as well, a lot of people are reusing passwords.

Hey hey…

I believe people at MTGOX are little stupid kids.

Do not change your password.

Just delete your damn MT GOX account and go find a more trustworthy site.

I've just downloaded that CSV file with all the informations, I can't believe it.

Mt GOX IS NOT SECURE.

Mt Gox is a fucking security hole and you'd better get out of there quick.

For instance, try Trade Hill.

Nice referal link spam, bro.

Also, personally I would advise people to use an exchange that runs on an open-source platform. Tradehill (and most other exchanges) are just yet another proprietary platform of which you have no guarantees regarding security. You can not look through the code (noone can, really), and will have to blindly believe that they can not be compromised.