Open Letter to Mybitcoin - Could you please tell me you're not THIEVES?

[LittleGnome]

Hello,

I have a small sum of bitcoins in your system. 3.0 BTC to be exact. After the Mt.Gox hack I immediately changed my password, shortly before your servers went down 'to investigate' When you came back online, you had reset my password, and so far I have not received an email allowing me to take back my account.

The last time I accessed my account there was 2.72 BTC there. This was -after- I reset my password, so at that point my money -had not- been removed by malicious users. Shortly after that I sent another 0.28 BTC, and then saw the site was down. So I -know- that that money was there and hadn't been stolen using info from the Mt.Gox hack.

You now have a statement saying that you are sending email to users whose passwords you have changed. Others have gotten their accounts back, some with funds, and some without. So far I have seen nothing from you.

So, am I going to get my account back? Will you be sending me a new password? Have you been hacked yourselves, independently of the Mt.Gox hack?

Or, and I ask this as the only other alternative that I can think of, Are You Thieves Yourselves?

[1713914422]

1713914422

[kjj]

How dare these villains attempt to protect their members accounts?  You should call your lawyer immediately.

[LittleGnome]

I have also sent this via email to admin@mybitcoin.con. I have no idea if that is a valid address, but it doesn't bounce back. I threw in 1@, 2@...0@ for good measure.

I feel like I'm beating my head against a wall, but I'd prefer not to let this stand as is.

[LittleGnome]

How dare these villains attempt to protect their members accounts?  You should call your lawyer immediately.

They have no contact information other than snail mail on their site, and they have not spoken publicly about what has happened. This is not the first email I've sent them it just seems to disappear down a black hole.

If they are legitimately trying to do something about this, I'd like to know about it. But as it stands now I'm hearing nothing, and the rumour mill is going crazy.

The move to protect their users is completely understandable and laudable if that's what they're doing. But frankly this whole thing with them is fishy, and I'd like to know what's really going on.

[AngstHase]

Check this board out. Many guys lost their btcs on mybitcoin.



in before: Sending an anonymous currency anonymously to a unknown website in hope they will keep it.



Never ever store your private data online. Neither on dropbox nor elsewhere. AND ESPECIALLY NOT YOUR MONEY.

[LittleGnome]

Check this board out. Many guys lost their btcs on mybitcoin.



in before: Sending an anonymous currency anonymously to a unknown website in hope they will keep it.



Never ever store your private data online. Neither on dropbox nor elsewhere. AND ESPECIALLY NOT YOUR MONEY.

I realize that now, and will be more careful in the future, AngstHase. While I'm not doing so well financially that ~50 bux lost doesn't sting, I realize also that my potential loss is comparatively small potatoes.

But given that there's more than just me affected, I'd like some kind of an explanation.

[AngstHase]

http://www.mini-forum.de/images/smilies/thumbs_up_smiley.gif

[bitprotection]

LittleGnome - sorry to hear that    We are attempting to create a service to help "cover" peoples bitcoins that are lost - so we can stop having people losing all these coins  

I know the service will be controversial  ( and touchy ) in some respects but  hopefully we at some point someone has to step in and do this and work with the community.  The response has been good so far with a lot of people signing up to receive email  when it comes out ( check sig. )  but just wanted to let you know there is some hope down the line  and wishing you the best of luck!

[Chick]

Check this board out. Many guys lost their btcs on mybitcoin.



in before: Sending an anonymous currency anonymously to a unknown website in hope they will keep it.



Never ever store your private data online. Neither on dropbox nor elsewhere. AND ESPECIALLY NOT YOUR MONEY.

I store money on PayPal and my online bank. I have full control of where it goes. So does anyone who logs into my account.

Noob

[LittleGnome]

Check this board out. Many guys lost their btcs on mybitcoin.



in before: Sending an anonymous currency anonymously to a unknown website in hope they will keep it.



Never ever store your private data online. Neither on dropbox nor elsewhere. AND ESPECIALLY NOT YOUR MONEY.

I store money on PayPal and my online bank. I have full control of where it goes. So does anyone who logs into my account.

Noob

Chick, It's great that you can trust PayPal and your bank like that. Who can we trust with BTC?

I'd love it if a service like Mybitcoin could be trusted like that. I'm 'calling them out' right now because they are not showing signs of being worthy of trust. I wish it were otherwise.

To be clear, I'd really like there to be a reasonable explanation and resolution to my and others' complaints. I still hold out hope that that is the case. But I want to hear from them.

[Chick]

Check this board out. Many guys lost their btcs on mybitcoin.



in before: Sending an anonymous currency anonymously to a unknown website in hope they will keep it.



Never ever store your private data online. Neither on dropbox nor elsewhere. AND ESPECIALLY NOT YOUR MONEY.

I store money on PayPal and my online bank. I have full control of where it goes. So does anyone who logs into my account.

Noob

Chick, It's great that you can trust PayPal and your bank like that. Who can we trust with BTC?

I'd love it if a service like Mybitcoin could be trusted like that. I'm 'calling them out' right now because they are not showing signs of being worthy of trust. I wish it were otherwise.

To be clear, I'd really like there to be a reasonable explanation and resolution to my and others' complaints. I still hold out hope that that is the case. But I want to hear from them.

Trust is one thing, but someone telling us to totally refrain from storing money online is just plain stupid.

[LittleGnome]

I appreciate what you're saying Chick, and I don't think anyone here wants to go back to hoarding mountains of cured meat and trading only for goats whose teeth you can look at.

Or for that matter, cash in a mattress.

But I honestly don't know the answer to whether BTCs should be stored on your own box or online. Both methods have taken a real beating lately. The Mt.Gox troubles and the bitcoin trojan are flip sides of the same security coin.

PayPal and your bank have both billions to throw at security, and deposit insurance.

So it's all Buyer Beware right now, and I took AngstHase's comments in that light. He's just picked a side of the 'reasonable paranoia' debate you don't agree with.

That being said, thanks for standing up for nuanced reasoning.

[LittleGnome]

Just bumping this up again. I found an email address that might work on Whois, and tried that.

The last few email guesses I've tried have been doing a 'slow bounce' - I'm getting 'temporary failure : message time out' from the mailer daemon.

Has anyone had more success than me in getting their accounts back?

[c0m47053]

I had a similar issue, my password seemed to have changed and I couldn't log in. No email from MyBitcoin. What I had to do was register a second account and use the support system to get in touch with someone. They insisted that my password hadn't been changed by them, which did freak me out a little. However, they did reset my password and my (tiny amount of) bitcoins were all intact.

Hope that helps.

[sebdude420]

i got this incident report with mybitcoin accounts.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            From the desk of Tom Williams, operator of MyBitcoin.com

                          For immediate release.

There are a lot of unanswered questions floating around on the Bitcoin
forum and other places about the recent Mtgox password leak, and theft
from the MyBitcoin system.

I will attempt to answer as many of the questions and concerns as best
as I can in order to silence the rumor-mill once and for all.

As many of you already know, Mtgox was hacked and its password file was
leaked. As soon as we heard about the leak we were closely monitoring
the system for abnormal activity, and we didn't see any.

At first glance, we didn't see any hard evidence that a password leak
had even occurred. There was just a lot of speculation to an SQL
injection vulnerability in Mtgox's site. A few clients of ours had
informed us of the forum threads, and we watched them carefully.

The following morning a client of ours sent us the download link to the
leaked Mtgox password file. We prompty downloaded the file, put up a
warning on the main page, and disabled the login.

We attempted to line up usernames from the leak, and we found a lot of
matching ones. We started locking down all of those accounts using a
script that we had to have written at a moment's notice. It was during
this time that we noticed a flurry of spends happening. Yes, even with
the site disabled.

The attacker had active sessions open to the site. We quickly flushed
them and the spends stopped abruptly. We disabled the SCI, all payment
forwarding, and all receipt URL traffic on all of the usernames in the
Mtgox leak.

We proceeded to change the password on every account where the username
matched our system's database. PGP-signed emails went out to all of the
accounts that we changed the password on. If an account didn't have an
email address or had already been compromised we put up a bulletin.
(Email addresses were mandatory when we opened our service initially,
but people complained that it wasn't truly anonymous so we made them
optional. Unfortunately this makes contacting a security-compromised
customer impossible.)

An investigation was conducted at that time, and we determined that the
attacker had opened up a session to each active user/password pair ahead
of time, solved the captcha, and used some sort of bot to maintain a
connection so our system wouldn't timeout on the session. It was likely
his intent to gain access to more accounts than he did, but as soon as
he noticed that we had changed the main page of the site he sprung into
action by sending a flurry of spends.

(Before you ask: no, we don't limit logins per IP address. We can't. We
have a lot of users that come in from Tor and I2P that all appear to
share the same source IP address.)

We've concluded that around 1% of the users on the leaked Mtgox password
file had their Bitcoins stolen on MyBitcoin. It is unfortunate, and a
horrible experience for the Bitcoin community in general.

The IP address that the attacker used was a Tor exit node and the spends
were to an address that is outside of our system.

Now to address the rumors:

No, our database wasn't compromised. We had a 3rd party company audit
our site for SQL injection attacks and we passed. (We did, however, have
one XSS hole in the address book page last month that would allow an
attacker to insert fake entries into a customer's address book. It was
promptly fixed and offending address book entries were purged. Not a
single customer had spent to the fake address book entries.) Every line
of code was audited last month. Literally line by line audited by
professionals, and it was deemed safe.

No, this site isn't being ran by some amateur that just learned how to
program computers. It was created by seasoned programmers that
understand security.

Yes, we use password encryption. We are currently using SHA-256, but
since the recent Mtgox hack we will be upgrading that to something
stronger. It's surprising how many sites still use MD5, even though it
was broken years ago. It is my personal opinion that MD5 be deprecated
from modern operating systems.

We also use whole-disk level encryption on every single one of our
servers. When you fail a disk in a NOC and a level 1 technician replaces
it does he wipe the disk before the RMA/tossing it in the garbage? Not
usually! We know these mistakes happen, so we take precautions. Any and
all servers with an IP KVM on them are ran in secure console mode. The
root passwords are required even for single user mode. All disk keys are
held off-site and were never generated anywhere near the internet. All
server passwords are unique per server and per user, of course. Only two
technicians have access to the secure servers. This access is over a VPN
and we only use secured workstations running Linux and BSD to access
them.

We use BSD servers with MAC, immutable flags, jails, PAX, SSP,
randomized mmap, secure level, a WAF, a DDoS mitigation and alert system
- -- the works. Like I said earlier. We are not amateurs. In fact,
combined we have over 30 years of experience in the payment
processing (credit card arena) industry.

A large amount of the Bitcoin holding is in cold (offline) storage. We
only have a percentage of the holding available hot. This is done for
obvious reasons.

Going forward we are implementing a 2-factor login system,
user-configurable spend limits, better session token tumbling, and a
bunch of new SCI features.

Wishing the Bitcoin community all the best and a swift recovery, and
sincerely yours,


Tom Williams

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MBC v1.0

iQEcBAEBAgAGBQJOAki5AAoJEJ+5g06lAnqF3tcH/0QNKf7aBEg08vML9MCkwTjF
VCoTAPzVaVsdbZOqiRwE2/6420tcFZrsWTXYZYbjXckEiYrl7/DQ2XsLyhk4W567
T1sOCmpH99Z2/VAvTfAd5obRTEGpMQ0SLIrfznyc8MmG4C1GvtVUr4jM79asPmRY
jsIn7v53o9Ra1sN3QcvMskRUU1JmqfqU6MlJrYwXrtc/P9Tjm7D3AtsjfvJRX12Z
9g5y1N+zRGVpp7OK35VFnfmIKtOOtb3IMgG5EhiUllsoXKfz1eE08v4f4d0aQstL
+HGMi3PktL1HBpIRni2n4MAaIXq/EyzxDSzkSHp6v032H70c1kkUibL//QNxQuM=
=VaXC
-----END PGP SIGNATURE-----

[LittleGnome]

alright. Well thanks for the updates. I've tried the new account approach, so I'll see how that goes.

The response from support is pretty much in line with what I expected to hear from them. It would have been a lot more helpful if they had said that publicly.

[LittleGnome]

I have finally heard from support at Mybitcoin.com. As I suspected, I had not received mail because I had not filled in an email address. This is fair enough, but I don't remember this being presented as an option when I signed up.

I will hold my opinions until I see how this matter is resolved. I'll keep you posted.

[dinzy]

I have had no issues with them whatsoever.  Granted I have only moved about 10 BTC through them.

[Oldminer]

I have had no issues with them whatsoever.  Granted I have only moved about 10 BTC through them.

[LittleGnome]

Just left negative feedback here. strongly urge others to do the same.
http://www.bitcoinfeedback.com/viewuser.php?id=195