romsek (OP)
Newbie
 Offline
Activity: 11
Merit: 0
|
 |
June 20, 2011, 02:15:34 AM |
|
[Update - 2:06 GMT] What we know and what is being done. - It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
- Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.
- We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.
- Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.
- When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.
- Once Mt.Gox is back online, trades 218869~222470 will be reverted.
We will continue to update as we find new information. Source: https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback |
|
|
|
|
DanielC
Newbie
Offline
Activity: 10
Merit: 0
|
|
June 20, 2011, 02:19:09 AM |
|
I guess that makes me feel somewhat better...
|
|
|
|
|
Oldminer
Legendary
Offline
Activity: 1022
Merit: 1001
|
|
June 20, 2011, 02:19:40 AM |
|
lol it will be fun trying to verify my IP seeing as my VPN gives me a new one everytime I connect to the net..hope its not this hard...
|
|
|
|
|
Astro
|
|
June 20, 2011, 02:22:39 AM |
|
Stop hiring the worst security auditors in the world.
|
|
|
|
|
Chick
Member
Offline
Activity: 70
Merit: 10
|
|
June 20, 2011, 02:28:18 AM |
|
Stop hiring the worst security auditors in the world.
They just said it was a "financial auditor". WTF? IKR? |
|
|
|
|
dust
|
|
June 20, 2011, 02:30:08 AM |
|
100-200 BTC + ~1000 USD stolen. Doesn't seem too bad...
|
|
|
|
BCEmporium
Legendary
Offline
Activity: 1218
Merit: 1000
|
|
June 20, 2011, 02:31:33 AM |
|
It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. Someone needs to audits the one who audits...  |
|
|
|
|
Epinnoia
|
|
June 20, 2011, 02:32:20 AM |
|
If the auditor was attacked by a hacker, how was it that the hacker knew that the auditor's machine was even bitcoin-related? Something here doesn't pass the sniff test.
This screams 'inside job'.
|
|
|
|
BCEmporium
Legendary
Offline
Activity: 1218
Merit: 1000
|
|
June 20, 2011, 02:35:03 AM |
|
For me it was Kevin Mitnick disguised as janitor...
|
|
|
|
aral
Newbie
Offline
Activity: 42
Merit: 0
|
|
June 20, 2011, 02:37:32 AM |
|
Yeah, right. The only crackable stuff they got were some idle accounts yet they managed to drive the price to 0.01$ and steal a bucketload of BTC. And... you used unsalted md5? Really? Oh but that was two months ago so it's ok?  Fuck me. |
|
|
|
|
Insuremeplz
Member
Offline
Activity: 113
Merit: 10
|
|
June 20, 2011, 02:42:21 AM |
|
100-200 BTC + ~1000 USD stolen. Doesn't seem too bad...
I don't believe this, unfortunately  |
|
|
|
|
|
DonnyCMU
|
|
June 20, 2011, 02:49:59 AM |
|
100-200 BTC + ~1000 USD stolen. Doesn't seem too bad...
So.... could they, or someone, explain about the 200,000 -400,000 Bitcoins that was sold off, and drove the price down to 1 cent??? |
|
|
|
|
tehcodez
Newbie
Offline
Activity: 42
Merit: 0
|
|
June 20, 2011, 02:52:38 AM |
|
I think he mentioned that
|
|
|
|
|
|
haydent
|
|
June 20, 2011, 02:53:37 AM |
|
is there a way to find out your trade number ? maybe from trade notification email or something ? Once Mt.Gox is back online, trades 218869~222470 will be reverted. |
2x Gigabyte 6950 OC @ 920/450 w/ ati tray tools (1 shader modded) - 760Mhs on ozco.in 0% fee aus pool
btc: 1HS5Brzcsh7XkJn566XYbvfpa2JuBRBdss
|
|
|
|
Epinnoia
|
|
June 20, 2011, 03:06:22 AM |
|
The excuse given was to blame the auditor. And for privacy reasons, they won't name the auditor.
This doesn't make any sense at all. What use is an audit performed by unnamed entities? It's the credentials of the auditor which give credence to the audit they perform, is it not?
|
|
|
|
semarjt
Newbie
Offline
Activity: 27
Merit: 0
|
|
June 20, 2011, 03:18:24 AM |
|
The excuse given was to blame the auditor. And for privacy reasons, they won't name the auditor.
This doesn't make any sense at all. What use is an audit performed by unnamed entities? It's the credentials of the auditor which give credence to the audit they perform, is it not?
What use is it for an auditor to have password hashes? |
|
|
|
|
|
tiberiandusk
|
|
June 20, 2011, 03:20:03 AM |
|
100-200 BTC + ~1000 USD stolen. Doesn't seem too bad...
So.... could they, or someone, explain about the 200,000 -400,000 Bitcoins that was sold off, and drove the price down to 1 cent??? As far as I have gathered those transactions were internal to Mt. Gox and were never paid out. They weren't actual bitcoin transactions. |
|
|
|
|
bitcoinminer
|
|
June 20, 2011, 03:20:58 AM |
|
May not have been an SQL injection, but it was sure as hell a Hot Beef Injection!!!
|
Be fearful when others are greedy, and greedy when others are fearful.
-Warren Buffett
|
|
|
NO_SLAVE
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 20, 2011, 03:22:13 AM |
|
is there a way to find out your trade number ? maybe from trade notification email or something ? Once Mt.Gox is back online, trades 218869~222470 will be reverted. yes THIS ^^^ is there a database of trades and numbers? |
|
|
|
|
|
Astro
|
|
June 20, 2011, 03:22:24 AM |
|
May not have been an SQL injection, but it was sure as hell a Hot Beef Injection!!!
zing |
|
|
|
|
|
