Mt. Gox: If your coins were stolen, please write here

[MagicalTux]

Ok, we've been seeing a "lot" of cases recently.

So far I have 10 known cases of people whose coins were stolen (someone logged in on the account using their password, traded USD for BTC, withdrew all the BTC). Considering we have now over 60000 accounts (2 months ago we had 10 times less), this seems to be a problem coming mainly from users.

Problem is many have been posting in various places (forums, reddit, twitter, irc, etc) causing a lot of fear among users when the problem is still fairly limited.

Trust me, if we had a problem in Mt.Gox and it was actively exploited, we'd have way more than a dozen compromised accounts.

By the way we are working on adding an extra feature: a withdraw password. If you define one (on the settings screen) you will have to enter this password too. Should be available by monday.



Now, we cannot recover the funds, however we can try to track those and locate to which account they were sent. I guess that if your account was compromised you first sent an email to info@mtgox.com asking for your account to be blocked until investigation, providing as much information as you can as for the problem.

Please post here your ticket number that was assigned to you when you created this if you want priority handling. Please read the following FAQ before.


FAQ

My history disappears along all my coins and monies

You have not logged in with your usual login. Please make sure you are using the right account.

My coins were traded for USD, or my USD were traded for coins, I never entered any order

You had an open order that couldn't be filled because you didn't have enough funds. When you added funds (or coins) your order could be filled, and was filled.

[1714006140]

1714006140

[1714006140]

1714006140

[1714006140]

1714006140

[1714006140]

1714006140

[koin]

Trust me, if we had a problem in Mt.Gox and it was actively exploited, we'd have way more than a dozen compromised accounts.

Now, we cannot recover the funds, however we can try to track those and locate to which account they were sent.

are you saying that no changes were made to the site in the past 24 hours to protect against a csrf?

if it wasn't broken, would you have any explanation for this claim that a hole had been fixed? http://forum.bitcoin.org/index.php?topic=18709.msg235994#msg235994

[MagicalTux]

Trust me, if we had a problem in Mt.Gox and it was actively exploited, we'd have way more than a dozen compromised accounts.

are you saying that no changes were made to the site in the past 24 hours to protect against a csrf?

if it wasn't broken, would you have any explanation for this claim that a hole had been fixed? http://forum.bitcoin.org/index.php?topic=18709.msg235994#msg235994

There was indeed a CSRF vulnerability in the "change email" and "send funds" features, however we verified the logs of the webserver and could confirm neither were ever exploited, except by the people who discovered it.

Both are now fixed.

[anatolikostis]

Trust me, if we had a problem in Mt.Gox and it was actively exploited, we'd have way more than a dozen compromised accounts.

are you saying that no changes were made to the site in the past 24 hours to protect against a csrf?

if it wasn't broken, would you have any explanation for this claim that a hole had been fixed? http://forum.bitcoin.org/index.php?topic=18709.msg235994#msg235994

There was indeed a CSRF vulnerability in the "change email" and "send funds" features, however we verified the logs of the webserver and could confirm neither were ever exploited, except by the people who discovered it.

Both are now fixed.

You know about my case very well MARK - I`m still waiting for my stolen 13.4 BTC...

[leepfrog]

What do you have to say about this here:

http://securityforthemasses.blogspot.com/2011/06/mt-gox-db-purportedly-for-sale.html

[Man From The Future]

Copy in case that disappears:

Mt. Gox Db Purportedly for Sale...
Posted to the 'Bin:

"I Got mtgox database,1 day old.Got also bitcoins7;it not as big but still lots hehe!no secure LOL.....

would send user&pass in here but,I want to sell to big buyer

Email: auto36299386@hushmail.com

Make big offer!!!

~cRazIeStinGeR~"


http://pastebin.com/xhnNdvte

[Grant]

Copy in case that disappears:

Mt. Gox Db Purportedly for Sale...
Posted to the 'Bin:

"I Got mtgox database,1 day old.Got also bitcoins7;it not as big but still lots hehe!no secure LOL.....

would send user&pass in here but,I want to sell to big buyer

Email: auto36299386@hushmail.com

Make big offer!!!

~cRazIeStinGeR~"


http://pastebin.com/xhnNdvte

I call that a fake/scam attempt. If it was true, this "hacker" would first have emptied as many accounts as possible before selling it. My account remains untouched and so do accounts of most others, only a small % of the people got "exploited".

[zpinto]

Ok, due to that, i tried to change my password in MTGox and it doesnt let me... wtf?

[Man From The Future]

Seeing the database doesn't mean having write access.

[MagicalTux]

What do you have to say about this here:

http://securityforthemasses.blogspot.com/2011/06/mt-gox-db-purportedly-for-sale.html

Password are encrypted one way (+salt). Someone cannot be selling "user + pass" unless he has some way to revert this.

In one expression: FUD

[MagicalTux]

You know about my case very well MARK - I`m still waiting for my stolen 13.4 BTC...

As I already replied you, your funds were stolen by someone logging in onto your account with your password. Your funds are right now on a bitcoin address and have not moved since then.

As a reminder we assume no responsibility should your funds be stolen by someone using your own password.

[smackdaddy]

What do you have to say about this here:

http://securityforthemasses.blogspot.com/2011/06/mt-gox-db-purportedly-for-sale.html

Password are encrypted one way (+salt). Someone cannot be selling "user + pass" unless he has some way to revert this.

In one expression: FUD

Well, to be fair, if you have the hashed values, it takes very little effort to bruteforce a large number of passwords. Especially if you use tables.

Your statement makes me nervous about the state of overall security at mtgox....relying on hashed passwords was a failing paradigm over a decade ago.

[Sukrim]

That's what salt is for!

Just read it up on Wikipedia...

[smackdaddy]

That's what salt is for!

Just read it up on Wikipedia...

Uhm, I think you need to read up on it. Salting helps defend against table lookups but does not strongly protect against brute force.

[joepie91]

MagicalTux, a few cases can already be found here: http://forum.bitcoin.org/index.php?topic=18050.0
It also has some information regarding passwords strengths and operating systems that people used etc.

Also, have you received my PM about the CSS history sniffing vulnerability?

Copy in case that disappears:

Mt. Gox Db Purportedly for Sale...
Posted to the 'Bin:

"I Got mtgox database,1 day old.Got also bitcoins7;it not as big but still lots hehe!no secure LOL.....

would send user&pass in here but,I want to sell to big buyer

Email: auto36299386@hushmail.com

Make big offer!!!

~cRazIeStinGeR~"


http://pastebin.com/xhnNdvte

I call that a fake/scam attempt. If it was true, this "hacker" would first have emptied as many accounts as possible before selling it. My account remains untouched and so do accounts of most others, only a small % of the people got "exploited".

If the easiest way of "laundering" stolen money would be the exact site you compromised (Mt. Gox) I can imagine that someone does not want to go through the trouble of laundering everything, and would rather sell off the entire database in one hit and have others deal with that. Not to mention selling the database to multiple people.

What do you have to say about this here:

http://securityforthemasses.blogspot.com/2011/06/mt-gox-db-purportedly-for-sale.html

Password are encrypted one way (+salt). Someone cannot be selling "user + pass" unless he has some way to revert this.

In one expression: FUD

Hashes (even salted) can be bruteforced. Especially if someone has for example already set up Bitcoin mining rigs, he would have considerable power to use on bruteforcing passwords, not to mention things like Amazon AWS (or other cloud computing services) that can be used to very quickly crack hashes.

[Man From The Future]

The fact that it uses MD5 is an issue.

It should definitely have been set up using SHA256/SHA512, and at least a per user salt(You haven't clarified as to whether it's the same for all, unless I've misread something). Or even double SHA512 two-unique-salts halved.

[joepie91]

The fact that it uses MD5 is an issue.

It should definitely have been set up using SHA256/SHA512, and at least a per user salt(You haven't clarified as to whether it's the same for all, unless I've misread something). Or even double SHA512 two-unique-salts halved.

Where was MD5 mentioned?

[jondecker76]

I had 20 BTC stolen from my account, I didn't find out until 2 days later.

Here, I added 20 BTC to do some trading:

06/13/11 09:34   Add BTC   1AbvTGGyKKQDezsnaYDAhJDNPkZYv7aM9z   20   0   20.199   0.059

Within a single day, it had been transferred out (unknown to me)

06/14/11 15:45   Withdraw BTC   17RT6Ne994VjC762wh7TpXRdrZRMbhJSUC    -20.19   0   0.009   0.059

I sent an email from your website reporting the problem, here is the automated reply:

## Please do not write below this line ##
Ticket #1605: I was hacked

Your request (#1605) has been received, and will be reviewed by our support staff.

Our help desk is experiencing unusually high traffic currently. We regret to inform you that you will experience some delays (currently 48-72 hrs) in us getting back to you.

We sincerely apologize for the inconvenience and are working on all fronts to improve our response times.

To review the status of the request and add additional comments, follow the link below:
http://support.mtgox.com/tickets/1605


Jondecker76, Jun-17 22:02 (JST):

I've seen it a lot on the forums as well and never thought it could happen to me, but today I logged in to my account to find that my balance of 20 BTC is gone.

here is a the copy and paste from my account history:
06/14/11 15:45 Withdraw BTC 17RT6Ne994VjC762wh7TpXRdrZRMbhJSUC -20.19 0 0.009 0.059


I truly believe you guys have a security problem on your end

I feel that it is MtGox's responsibility to own up to losses from multiple users.  You can confirm yourself that my original report to you was received before there was any mention of a confirmed vulnerability.

[Man From The Future]

The fact that it uses MD5 is an issue.

It should definitely have been set up using SHA256/SHA512, and at least a per user salt(You haven't clarified as to whether it's the same for all, unless I've misread something). Or even double SHA512 two-unique-salts halved.

Where was MD5 mentioned?

It must be in the thread ocnfirming the existence of the CSRF vulnerability.

[Noitev]

That's what salt is for!

Just read it up on Wikipedia...

Uhm, I think you need to read up on it. Salting helps defend against table lookups but does not strongly protect against brute force.

if you put enough salt in a md5, itll take thousands of years until you can crack it, ive tried