Market Crash: Mt Gox has been Hacked (Official Statement)

[bitsalame]

The bitcoin will be back to around 17.5$/BTC after we rollback all trades that have happened after the huge Bitcoin sale that happened on June 20th near 3:00am (JST).

Service should be back by June 20th 10:00am (JST, 01:00am GMT) with all the trades reversed and accounts available.

One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.

Apart from this no account was compromised, and nothing was lost. Due to the large impact this had on the Bitcoin market, we will rollback every trade which happened since the big sale, and ensure this account is secure before opening access again.

--------------

My Opinion here, although it is unfortunate for the owner of the account, in the real world money stolen it is money gone.
The "reverting" back the transactions and "re establishing" the price arbitrarily IS NOT ACCEPTABLE. What is it, a game?

That is why in the real world have insurances.
We should create an insurance mechanism in the case of hacked accounts, but reverting back transactions is not acceptable.

[Shox]

Was this thread really needed among the billions of others?

Sorry but that announcement has already been posted a few times.

[jack_jones]

In this context what does 'rollback' imply?

[BitcoinPorn]

My Opinion here, although it is unfortunate for the owner of the account, in the real world money stolen it is money gone.
The "reverting" back the transactions and "re establishing" the price arbitrarily IS NOT ACCEPTABLE. What is it, a game?

That is why in the real world have insurances.
We should create an insurance mechanism in the case of hacked accounts, but reverting back transactions is not acceptable

This is a game.  All people are taking on all risks involved in this yet established currency (which I believe will stand against all these tests).  I think we should all appreciate that Gox takes this responsibility on himself to be like 'holy shit, this is fucked up for so many people, I at the least have the power to change this one thing' and so he is.  I'm seriously glad.

But yeah, in the end, insurance and all that good stuff comes with so many third parties.  I think banks are obviously out with Bitcoins, but something along the line of sects and trusted groups will start coming out I think (it may already be starting with/within Pools).

[monsterblitz]

Was this thread really needed among the billions of others?

Sorry but that announcement has already been posted a few times.

I checked & didn't see another post about this.  It may have been posted in another topic or forum.  Since this is an official announce, seem pretty appropriate considering the circumstances.

[Nanodemon]

account compromise != hack. Someone got keylogged, had an insecure password, or some other nonsense. this isnt "hacking"

[bitsalame]

Was this thread really needed among the billions of others?

Sorry but that announcement has already been posted a few times.

Oh Really? Care to cite your "billion" posts?
The last time I checked everyone was just lost, the theories of conspiracies between TradeHill making a shady move against MtGox were the trending posts.

I am bringing the official statement from MtGox and stop the nonsense conspiranoid chattery.
Cheers

[Beremat]

The price isn't being set arbitrarily. It was $17.5 the second before the big sale, and that's what it's being rolled back to.

[Nanodemon]

The price isn't being set arbitrarily. It was $17.5 the second before the big sale, and that's what it's being rolled back to.

however, that will not correctly dictate the state of the market when the site comes back up, meaning its an arbitrary number at the time. If your buy and sell orders are based on that, when say...tradehill or some other exchange is significantly higher or lower, it stands to reason that you will lose or gain accordingly based on the state of the market as a whole. Its basically a fix, since everyone now knows that mtgox will be at 17.50 at around 1AM GMT.

[Atheros]

No, they really did get hacked- or at least someone leaked their accounts. Find yourself here:

http://ifile.it/a3kl16j/accounts.csv

Then, someone started cracking the MD5 password hashes and then, with passwords in hand, trying various accounts until they found one with lots of money. There is a $1000 per day withdrawl limit, so in order to get more bitcoins out, they had to crash the market close to 0 first. And that is what happened today.

The End.

[nixxle]

No, they really did get hacked- or at least someone leaked their accounts. Find yourself here:

<snip>

Then, someone started cracking the MD5 password hashes and then, with passwords in hand, trying various accounts until they found one with lots of money. There is a $1000 per day withdrawl limit, so in order to get more bitcoins out, they had to crash the market close to 0 first. And that is what happened today.

The End.

Started cracking MD5 hashes? You have no idea what you are talking about.

The passwords in the accounts.csv are not MD5.

More likely, a hacker got access to the serer, did the damage he did ( dump BTC on the market from 1 account or something) and figured: while I am here, I might as well spice things up and make a full dump of the users database table.

[pipedr34]

No, they really did get hacked- or at least someone leaked their accounts. Find yourself here:

<snip>

Then, someone started cracking the MD5 password hashes and then, with passwords in hand, trying various accounts until they found one with lots of money. There is a $1000 per day withdrawl limit, so in order to get more bitcoins out, they had to crash the market close to 0 first. And that is what happened today.

The End.

My email is in there. The leak is real. fuck

[plutocracy]

No, they really did get hacked- or at least someone leaked their accounts. Find yourself here:

redacted

Then, someone started cracking the MD5 password hashes and then, with passwords in hand, trying various accounts until they found one with lots of money. There is a $1000 per day withdrawl limit, so in order to get more bitcoins out, they had to crash the market close to 0 first. And that is what happened today.

The End.

I wish people would stop linking that file. Mods are removing posts relating to it, just not fast enough.

But yes this is what happened.

[Atheros]

Started cracking MD5 hashes? You have no idea what you are talking about.

Oh, but I do. People are brute forcing them successfully right now. Some are salted. Some are not. That is why someone was willing to sell bitcoins at $0.01. Because the account wasn't theirs.

[pipedr34]

There is a $1000 per day withdrawl limit, so in order to get more bitcoins out, they had to crash the market close to 0 first. And that is what happened today.

Actually people on #mtgox say the limit is 50BTC or 1000 USD per day.

[BouerBouer]

And the lulz kick-starts again.

This is why I'm pretty heavily against using Mt Gox right now. That and the lack of Pound Sterling support sucks.

[blendergasket]

No, they really did get hacked- or at least someone leaked their accounts. Find yourself here:

redacted

Then, someone started cracking the MD5 password hashes and then, with passwords in hand, trying various accounts until they found one with lots of money. There is a $1000 per day withdrawl limit, so in order to get more bitcoins out, they had to crash the market close to 0 first. And that is what happened today.

The End.

I wish people would stop linking that file. Mods are removing posts relating to it, just not fast enough.

But yes this is what happened.

Once it's on the internet it can't be taken off. The only thing unlinking it from here will do is keep legit users from knowing about it quickly and changing their info on related sites (if it's reused). This is especially bad since the Mt.Gox hacked/CSRF threads tell which/where pw's might be reused. Time to get as much info as possible and mitigate the risk as much as possible. I'd assume it's torrented by now and being downloaded by all sorts of malicious people NOT affliliated with this site.

Also: just when finishing this post up I got this email:

Dear Mt.Gox user,

Our database has been compromised, including your email. We are working on a
quick resolution and to begin with, your password has been disabled as a
security measure (and you will need to reset it to login again on Mt.Gox).

If you were using the same password on Mt.Gox and other places (email, etc),
you should change this password as soon as possible.

For more details, please see this:

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

The informations there will be updated as our investigation progresses.

Please accept our apologies for the troubles caused, and be certain we will do
everything we can to keep the funds entrusted with us as secure as possible.


The leaked data includes the following:

- Account number
- Account login
- Email address
- Encrypted password

While the password is encrypted, it is possible to bruteforce most passwords
with time, and it is likely bad people are working on this right now.


Any unauthorized access done to any account you own (email, mtgox, etc) should
be reported to the appropriate authorities in your country.


Thanks,
The Mt.Gox team

[chadqberry]

If you managed to buy some BTC at .01, I hope you were smart enough to transfer them out of there quickly!
I guess those crying about the rollback didn't quite get theirs out in time.

[spankymio]

If you managed to buy some BTC at .01, I hope you were smart enough to transfer them out of there quickly!
I guess those crying about the rollback didn't quite get theirs out in time.

That is pretty much the thought process I had - surely you knew that something was wrong as soon as it got down below $10

[jandd]

No, they really did get hacked- or at least someone leaked their accounts. Find yourself here:

<snip>

Then, someone started cracking the MD5 password hashes and then, with passwords in hand, trying various accounts until they found one with lots of money. There is a $1000 per day withdrawl limit, so in order to get more bitcoins out, they had to crash the market close to 0 first. And that is what happened today.

The End.

Started cracking MD5 hashes? You have no idea what you are talking about.

The passwords in the accounts.csv are not MD5.

More likely, a hacker got access to the serer, did the damage he did ( dump BTC on the market from 1 account or something) and figured: while I am here, I might as well spice things up and make a full dump of the users database table.

These are salted MD5 hashes as generated by crypt(3), breaking these using brute force should be quite complicated (if the crackers did not discover another MD5 weakness).

BTW: I found my fresh account there too. Fortunately I did not have any BTC or USD there yet. I hope they implement better security measures and do a code review before going online again.