MtGox UPDATE

[JTaBitCoinKing]

i really don't think you can call them 'stolen coins' with a straight face. what's done is done, and it's on your shoulders to fix it, NOT by denying people with legitimate bids their feast.

Coins sold by someone who didn't own them are not stolen? Why? because you got them?

That's very narcissistic, almost psychopathic.

Psychopaths should not benefit from this currency: that's the way the old world worked.

[1713486377]

1713486377

[MyFarm]

MyFarm:
Yes the site won't be back online until we are certain there are no other exploits.

Cool, see you guys in a month or two.  Though you might upset a few people who have thousands of dollars/BTC tied up in your system.

I sure don't envy you at this point.

[bittrader]

All passwords will be disabled and you will have to reset your password with the email on file. If no email is on file then it will be handled manually.

I count almost 4,000 accounts with blank emails — and mine is one of them. How do you plan on handling them manually? How will you verify that whoever is claiming to be the owner really is the owner?

Thanks.

[paulie_w]

i really don't think you can call them 'stolen coins' with a straight face. what's done is done, and it's on your shoulders to fix it, NOT by denying people with legitimate bids their feast.

Coins sold by someone who didn't own them are not stolen? Why? because you got them?

That's very narcissistic, almost psychopathic.

Psychopaths should not benefit from this currency: that's the way the old world worked.

you're completely right and i already retracted that sentiment in an earlier post in this thread.

even if i do feel a little burned (hey it's natural after a seemingly eye-popping win), i'd rather do what is right for this thing to succeed long-term.

[RandyMarsh]

i really don't think you can call them 'stolen coins' with a straight face. what's done is done, and it's on your shoulders to fix it, NOT by denying people with legitimate bids their feast.

Of course they were stolen! They were in essence stolen from the user whos account was compromised, and then used to cause chaos on the market. Regardless of the fact that they were used within the system and by the account of the user who orignally owned them, they were still plainly stolen by the hacker who then simply dumped all but the little bit he could get away with.

They were absolutely Stolen, and almost all trades since the event are Illegitimate in my eyes anyway.

[Bit_Happy]

Thanks for the update, I'm a big fan of your service (the charts are great) and you still have my support.
Any ETA on how long the security fixes will take? Any chance of being up within ~12 hours?

[jorgen]

Jed and Tux made a lot for bitcoin community in the past and I hope this accident will force them make double efforts to secure the No1 exchange! I also had some bids on 14.5 but I do not mind against reversing transactions.

[elmom]

What about the people that have complained that their email is wrong based on the leaked DB. Will you roll back the email addresses too? Someone said (on IRC) they had a hash in the DB corresponding to a password that was changed 19 days ago. And several accounts have been reported as compromised before today's events.

[jhansen858]

Well people, there you have it,

They manned up, took responsibility, are going to make everything right, if necessary on a case by case basis.  

What have we learned?

1) Don't put all your BTC in one basket if you don't want to not have unlimited access to it.
2) This isn't a game, if you cant take the drama, get the fuck out of the kitchen, go back to some safer investment like trading over your margins on the stock market.
3) Don't use easy to un-hash passwords that are the same for every site you use.
4) more control and regulation is needed on the side of the exchanges to limit the price swings much like the real stock market has now

[jatajuta]

This is definitively the digital gold run of the century.

Welcome to the wild west.

[joepie91]

And what about the users who had their accounts compromised in the past few weeks or so?

[unk]

a trade in all conventional currency markets is not 'invalid' merely because it is made with stolen funds. the trades and the theft are two separate issues. people analogizing to the 'flash crash' are doing so without understanding financial markets fully.

s3052, some others, and i have been discussing the proper way to think about this here: https://forum.bitcoin.org/index.php?topic=19593.0

if mt. gox is indeed determined to do what is legally and ethically correct, it seems far too glib to assume that a 'rollback' of transactions is legitimate merely because funds were stolen and then sold. as an analogy, if someone stole us dollars and then bought bitcoins with them, would you be so quick to break the trades? it would seem ridiculous to do so, and i'm afraid it's potentially just as problematic on this side as if the theft happened on the other side. i'm not a lawyer, but i suspect you'll face legal exposure for breaking trades as well, given that you combine the roles both of a broker and an exchange.

in case it matters, i do not have a mt. gox account and would not be directly affected by a rollback. i'm just frustrated with the lack of transparency and have claimed for months that issues with exchanges may prove disastrous for bitcoin's wider adoption.

[Bit_Happy]

And what about the users who had their accounts compromised in the past few weeks or so?

Many were trolls who lied, IMO.
A password hash does not allow you to login. The mysterious big account might have had a virus/key-logger on his PC.

[lacedwithkerosene]

So now you are acknowledging the situation and providing updates but what about an inclusion of a simple apology/saying "We're Sorry" to your customers, is that too much ?  

[Durr]

So now you are acknowledging the situation and providing updates but what about an inclusion of a simple apology/saying "We're Sorry" to your customers, is that too much ?  

Big risk in acknowlidging you are wrong. So they won't say they are sorry.

It'd be like saying "Im guilty" in court.

[mrenouf]

http://oi53.tinypic.com/2mhzq6u.jpg

[joepie91]

And what about the users who had their accounts compromised in the past few weeks or so?

Many were trolls who lied, IMO.
A password hash does not allow you to login. The mysterious big account might have had a virus/key-logger on his PC.

I have had $200 vanish from my account. I have turned my PC upside down, including manual analysis and found no malware of any kind. I had a 20 character alphanumeric mixed case KeePass-generated random password. I was not a victim of the CSRF exploit as I could not reach the Mt. Gox site (thus wasn't logged in) at the moment the funds were stolen. Someone could easily break such a password by using a service like Amazon AWS - and it would actually pay off as you are trying to compromise accounts on a financial service that holds money. Not to mention that miners have hardware that is specifically suited for hashcracking.

Now tell me with a straight face that this was not related to the database leak.

[DamienBlack]

And what about the users who had their accounts compromised in the past few weeks or so?

Many were trolls who lied, IMO.
A password hash does not allow you to login. The mysterious big account might have had a virus/key-logger on his PC.

It does if the password was weak and you brute force it.

[kokojie]

And what about the users who had their accounts compromised in the past few weeks or so?

Many were trolls who lied, IMO.
A password hash does not allow you to login. The mysterious big account might have had a virus/key-logger on his PC.

Actually it does if SQLI attack were possible (which apparently it is at mtgox). All the server want is compare the password hash with the one it had in the db. If you bypass the login box and provide the server with the hash directly thru SQLI attack, the mtgox server would allow you to login.

[klamathonsite]

yeah they got into my email just few minutes ago and then i found new email from mtgox they are still hacking the site.
so DONT TRUST MTGOX they took your info and if you have same mail and same password on Dwolla change it RIGHT NOW OOOH MTGOX!!! Liability i can see if going up higher and higher by the hour.