MtGox UPDATE

[jed]

Hello everyone, MagicalTux is busy getting everything back in order on mtgox so he asked me to post here and answer any questions people have.

First, only a small amount of BTC was stolen. MtGox will refund the stolen BTC to the compromised user.

Everyone's bitcoins are safe on the site. We still are holding all the coins safely in reserve. The vast majority of the coins are stored offline so they are impossible to compromise.

He understands the rollback won't be popular with people who were able to pick up coins for .10 or whatever but none of those trades were legitimate so mtgox has a legal obligation to reverse the trades.

I'm sure when you think about it you don't actually want to buy stolen coins and take advantage of the situation.

Things have been very hectic with mtgox since MagicalTux took over. He has simultaneously been trying to fend off persistent ddos attacks, hire more staff, deal with the huge increase in users, improve the code to support the much larger trade volume, ensure regulatory compliance and deal with various security issues. Obviously things haven't gone as smoothly as we would like but we can see the light at the end of the tunnel with more people being hired and the backend changes done. MtGox will hopefully be able to regain your trust in the coming weeks.

The site should be up again shortly. I'm asking him to clear all the standing orders.

Please post any questions you have here and I'll do my best to answer.

[1714105610]

1714105610

[1714105610]

1714105610

[1714105610]

1714105610

[1714105610]

1714105610

[paulie_w]

i really don't think you can call them 'stolen coins' with a straight face. what's done is done, and it's on your shoulders to fix it, NOT by denying people with legitimate bids their feast.

[done]

excellent lets keep the updates rolling in

[hiVe]

Thank you [MT and Jed] for the information.

[BioMike]

How was the list with accounts stolen? Was this through a SQL injection?

How will resetting of passwords be arranged?

[klaus]

++1

fine with it.

MtGox is doing good job !!

[MyFarm]

Considering there is a database dump with my mt gox information making its way around the internet, it's obvious your security has been compromised.  I would assume that you're going to do a FULL security and code audit to make sure there aren't further exploits or backdoors placed on your system.  As these audits take awhile, I also assume that you're not going to be back online anytime soon.

Or do I assume wrong?

[DamienBlack]

The rollback is inevitable, and the right thing to do. If it were just a system glitch or a typo, would you still say "what's done is done"? These weren't real trades. Sorry if you don't get to keep 10,000 bitcoins bought at $.10. I'd be pissed too, but there is not an alternative.

[dikidera]

Hello everyone, MagicalTux is busy getting everything back in order on mtgox so he asked me to post here and answer any questions people have.

First, only a small amount of BTC was stolen. MtGox will refund the stolen BTC to the compromised user.

Everyone's bitcoins are safe on the site. We still are holding all the coins safely in reserve. The vast majority of the coins are stored offline so they are impossible to compromise.

He understands the rollback won't be popular with people who were able to pick up coins for .10 or whatever but none of those trades were legitimate so mtgox has a legal obligation to reverse the trades.

I'm sure when you think about it you don't actually want to buy stolen coins and take advantage of the situation.

Things have been very hectic with mtgox since MagicalTux took over. He has simultaneously been trying to fend off persistent ddos attacks, hire more staff, deal with the huge increase in users, improve the code to support the much larger trade volume, permit SQL injection to compromise security, ensure regulatory compliance and deal with various security issues. Obviously things haven't gone as smoothly as we would like but we can see the light at the end of the tunnel with more people being hired and the backend changes done. MtGox will hopefully be able to regain your trust in the coming weeks.

The site should be up again shortly. I'm asking him to clear all the standing orders.

Please post any questions you have here and I'll do my best to answer.

Fix'd

[FairUser]

I think this post was long overdue.  People have been reporting for over a week now that they've been getting hacked on MtGox, and then this happened.  Every account, every e-mail, every (hashed) password. What's sad is that it's taken this long to post about it.  Lots of people have been reporting this and it seems to fall on deaf ears.   They have a whole thread about MtGox accounts that got hacked, yet no word was said to try and calm users or ease concerns.

Sorry to be so hard on you guys, don't get me wrong I love(d) the service, but you NEED to talk with users and tell them what's going on when they report getting hacked, and that needs to happen ASAP...not a week later. I hope your actions or lack thereof don't affect your business when it re-opens....cause I have/had(not sure, can't login) bitcoins with you guys and was looking forward to the value working it's way back up to 20.

HOPEFULLY people will trust you guys after this.  A come back from this level of hack is hard, but I wish you guys the best.  

[jhansen858]

My question is:

how is the situation where people withdrew funds in between the massive selloff and the trading freeze going to addressed?

People who withdrew coins will have a rollback + a withdraw?

[paulie_w]

The rollback is inevitable, and the right thing to do. If it were just a system glitch or a typo, would you still say "what's done is done"? These weren't real trades. Sorry if you don't get to keep 10,000 bitcoins bought at $.10. I'd be pissed too, but there is not an alternative.

grumble. i suppose you're right after all.

fuck it. good luck mtgox. :-)

[klamathonsite]

This just goes to show the safest way to protect your coins are put them on usb key and keep them there until they are ready to sell and i would deffently think twice using mtgox for the service do the fact they have taken down access to our accounts and we have to take a 3rd parties advice to settle down and they they are safe btc or funds this is BULLSHIT with how much i have invested I DO NOT LIKE ANYONE keeping me from my investment. so for this day forward I look to start dealing with people direct and use like clearcoin for the transfer of coins that also cuts out the % mtgox takes. I am freaking pissed I cant trust they took enough security measures to protect us in the first freaking place then they should not have opened their online service.

I dont have to worry about banks not letting me have access to my accounts or funds do to a issue they could not have for-sen so for mtgox.com to pull that shit is a power play with OUR money. Im looking into attornys tomorrow to find out their responsibly
and loss of revenues.

this my opinion and the facts.
Tomorrow is a day of reckoning .

[jed]

> How will resetting of passwords be arranged?

All passwords will be disabled and you will have to reset your password with the email on file. If no email is on file then it will be handled manually.

> How was the list with accounts stolen? Was this through a SQL injection?

We are still investigating.

MyFarm:
Yes the site won't be back online until we are certain there are no other exploits.

[qikaifu]

hope you will be fine after such disaster. It's a good lesson for you.

[Houdini]

That's all nice but the fact remains that thanks to you guys my username, e-mail and password are now out there for anyone to see...

[jhansen858]

@klamathonsite

whoa buddy, if you were investing in stocks, bonds, or other, you wouldn't be able to get your money out any faster.

I recommend you just chillax a tiny bit before you have a burst vessel in the brain.

[jed]

> how is the situation where people withdrew funds in between the massive selloff and the trading freeze going to addressed?
Very few coins were withdrawn between selloff and when we took the site down. We will deal with it on a case by case basis.

[qikaifu]

I think this post was long overdue.  People have been reporting for over a week now that they've been getting hacked on MtGox, and then this happened.  Every account, every e-mail, every (hashed) password. What's sad is that it's taken this long to post about it.  Lots of people have been reporting this and it seems to fall on deaf ears.   They have a whole thread about MtGox accounts that got hacked, yet no word was said to try and calm users or ease concerns.

Sorry to be so hard on you guys, don't get me wrong I love(d) the service, but you NEED to talk with users and tell them what's going on when they report getting hacked, and that needs to happen ASAP...not a week later. I hope your actions or lack thereof don't affect your business when it re-opens....cause I have/had(not sure, can't login) bitcoins with you guys and was looking forward to the value working it's way back up to 20.

HOPEFULLY people will trust you guys after this.  A come back from this level of hack is hard, but I wish you guys the best.  

Hopefully more great entrepreneurs will join bitcoin world, replacing those guys who providing bitcoin service with a one-man company.

[Findeton]

Hi. I'm trying to login but it says "No user with email address -heremyemailaddress-". Should I worry?