Mt.Gox hacked audit doubtful

[bitbonga]

The statement of Mark Karpeles on Mt.Gox includes:

"It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked."

I find this highly doubtful. Why would an audit keep the database on their computer? To me, this is just a statement to forward responsibility on being hacked by an SQL injection on to an external third party who got hacked.

There were alot of complains about the security of Mt.Gox, and now, implying an audit is the cause of the database leaking, it is actually pretended that audits were done on the Mt.Gox systems to both, catch all complains and give a reason for the database to be leaked.

What kind of audits are that in the first place? Backing up a database?!

Second, why is only the user table leaked? Where are all the other tables? Tables on orders, sales and buys? Those were not on the audits computer? Weird story. I presume SQL injection was the cause, not a hacked computer! User tables in a database are easy to guess and therefor easy targets as to inject with SQL. Orderbook tables are less common and therefor less geussable on column names and to inject.

Maybe I'm missing some information but I strongly belief the database was retrieved by SQL injection.

Anyone other insights or remarks about this?

[Caesium]

Where does it say the database was stored on their computer? It doesn't, it says they had read only access - so the attacker presumably used their system to read from the live database.

As for which tables were leaked - the user table is the most interesting/damaging? Who cares about the order table?

[bitbonga]

Where does it say the database was stored on their computer? It doesn't, it says they had read only access - so the attacker presumably used their system to read from the live database.

Ah, misinterpreted that. My bad. Still, if this was the case of the leakage, I would've pulled out the whole thing while at it.

As for which tables were leaked - the user table is the most interesting/damaging? Who cares about the order table?

Well, the most damaging is probably the user table indeed. It would've been worse if bitcoin addresses and their values were connected to those users. There is speculation on who owns alot, etc. Could've been informative as damaging as well. Same for the orderbook. It would give some insight on who thought what of the value of bitcoins. I would care for that info I guess.

[ploum]

The real question is: what kind of auditor has his own computer compromized. 

But I think that this is true. Never underestimate stupidity.

[bitbonga]

The real question is: what kind of auditor has his own computer compromized. 

Probably the kind which forwards responsibilty on to his auditor

Never underestimate stupidity.

It's always good to get a reminder.