MtGox attack from Poland: accounts compromised

[ivanc]

Hello,

It seems that there is an attack going on right now on MtGox from attackers in Poland. The timing of the attack is well chosen: MtGox support service is off in the week-end, the account holders cannot contact MtGox, thus leaving the attackers free to withdraw any money they want.


THE SITUATION:

We are an MtGox customer. We use it to transfer relatively large amounts of money.
In the last few weeks, MtGox has surprisingly stopped processing withdrawals, some of our withdrawals have been pending for 3 weeks now. These are international wire transfers. For Euro SEPA transfer, MtGox warns that it could take months to have it processed.  MtGox is blaming a "large backlog". It might or might not be true, this is MtGox after all.

Today, we received an email about a password reset.
Of course, we never initiated this password reset. MtGox mentions the IP address of the attacker in the password reset email: 178.42.125.117 . This IP address comes from Poland. It seems that the attackers don't even bother using proxies. This request from a IP in Poland didn't worry MtGox, although we consistently access our MtGox account from the UK, and only the UK.

Now, this wouldn't be that worrying, but the thing is we never gave the user ID of our account to anyone or publicly. The only way for an attacker to initiate this password reset would be to have access to the MtGox database.
Furthermore, MtGox sends the password reset email in CLEAR over the internet.

TO SUM UP:

So we have this situation where:
- MtGox doesn't process withdrawals anymore, so all our money sits on the MtGox account.
- MtGox database has been compromised by attackers, presumably in Poland.
- MtGox sends password reset emails in clear.
- MtGox customer service is off in the weekend.


THE RESULT:

Now, if an attacker got access to the MtGox database (at the very least they've got the list of user IDs, since they've got ours), he can also put a server in the same colocation areas as MtGox servers, sniffing their traffic, thus the password reset emails and validation code.

This is presumably what the attacker did.

At the moment, we have no access to our account (but surely the attacker has), and we have no way to contact MtGox, even sending them an email to urgently freeze our account is impossible, as they don't work in the weekend. Meanwhile, the attacker is surely enjoying his new bitcoins, since the bitcoin withdrawal system works very well, even in the weekend.

If anyone has any idea how to handle this type of issue, I would be very thankful.

[1715176184]

1715176184

[1715176184]

1715176184

[1715176184]

1715176184

[1715176184]

1715176184

[coinprize]

Oh shit, would that means price will drop again?

[ivanc]

Oh shit, would that means price will drop again?

Please don't hijack or pollute the topic. Some people are losing real money here.
Thanks in advance.

[Gabi]

No one is losing money, stop spreading FUD

If you are using MtGox: get a yubikey incase you still don't have one

[ivanc]

No one is losing money, stop spreading FUD

If you are using MtGox: get a yubikey incase you still don't have one

If the polish attacker has successfully accessed our account, we are losing money, lots of it.

Yubikey has been ordered months ago, still hasn't come.

[ivanc]

Nice of you to post this without a shred of proof.



~BCX~

My message was very detailed.
Attackers in Poland have access to a list of user IDs, this is proved in the message.
Care to elaborate or are you just a troll?

[Moebius327]

Spreading FUD you are.

[ivanc]

Spreading FUD you are.

Please provide factual information about what is FUD in my message. Trolling is frowned upon on this forum.

[Kouye]

Unless you post some form of proof, it's FUD.

~BCX~

Not taking sides, but how do you expect him to prove they didn't share their account details, were not infected with keyloggers, and don't currently have access to their MtGox account?

[ivanc]

So besides the one-line reply trolls, anyone here who can exchange constructive arguments?

[ivanc]

Spreading FUD you are.

Please provide factual information about what is FUD in my message. Trolling is frowned upon on this forum.

Just because you're supposedly detailed doesn't make it factual.

Why are you the only person so far supposedly attacked?

~BCX~

We have no access to our account at the moment. Someone else must have some access.
Are you claiming this is a false story? I will be providing identification information on this forum once we get some reply from MtGox.
How do you know we're the only compromised account? This happened 2 hours ago.
What are you trying to prove here?

[ivanc]

Spreading FUD you are.

Please provide factual information about what is FUD in my message. Trolling is frowned upon on this forum.

Just because you're supposedly detailed doesn't make it factual.

Why are you the only person so far supposedly attacked?

Look at your post headline, overly dramatic with zero proof that "accounts" were compromised.

Maybe yours because you're careless or make yourself a target, that doesn't make it GOX fault now does it?

~BCX~

Since you edit your posts after they have been replied to (a common trollish behavior), I reply to your edited post:

What make you say we're careless and make ourself a target?
Complete troll.
How come you don't discuss the arguments, but relying on insulting the messenger?

[mateo]

Has MtGox made any announcement yet?
So far it's just your word.

[Kouye]

Anyway, you don't have a lot of options, right now.
You can throw the IP out for investigation in the deep net, if you have any contact there.
Or you can wait for monday, regain access to your account, and depending on the damage, decide wether it's worth trying to file a complaint or not.
Oh, and before you receive your yubikey, at least go for google auth, as it will stop most script kiddies brutally.

[ivanc]

Look at your post title, overly dramatic.

How do you know that MTGOX was compromised?

How do you know it was more than one account?

More than likely you or your company's carelessness combined with the fact you blatantly talk about $10,000 EUR MTGOX transfers in several previous post which is STUPID.

~BCX~

No one knows which account is concerned by this. You won't be able to link it to the forum identity.
So how is this "STUPID"?
Please explain, otherwise you're just trolling, like your other posts.

[Moebius327]

Website: https://mtgox.com/
Facebook: https://www.facebook.com/MtGox
Twitter: https://twitter.com/MtGox
Phone: +81345501529
E-mail: info@mtgox.com
Country: Japan
City: Tokyo
Street: Round Cross Shibuya 5F

Why not call them if this was true? FUD FUD FUD FUD FUD FUD FUD FUD FUD

[ivanc]

Has MtGox made any announcement yet?
So far it's just your word.

That's true, i might be overly dramatic and it might be a false alert.
We are trying to get advice from here, since MtGox support is off for the weekend.

[jl2012]

You use mtgox "to transfer relatively large amounts of money" without using google authentication (you don't need to order a yubikey)? Your loss is deserved

[ivanc]

Website: https://mtgox.com/
Facebook: https://www.facebook.com/MtGox
Twitter: https://twitter.com/MtGox
Phone: +81345501529
E-mail: info@mtgox.com
Country: Japan
City: Tokyo
Street: Round Cross Shibuya 5F

Why not call them if this was true? FUD FUD FUD FUD FUD FUD FUD FUD FUD

Because they are sleeping, and don't work weekend.
TROLL TROLL TROLL
People like you should be banned from trolling once and for all.

[ivanc]

Hey Ivan,

Been waiting for 10 days now for a SEPA withdrawal, the withdrawal status is "confirmed".
Amount is 10,000 EUR.

Posting things like this paint a hug red flag on you.

~BCX~

Doesn't reveal anything about the account, how would you use such information?
Please provide facts this time, not just trolls.

[Moebius327]

Website: https://mtgox.com/
Facebook: https://www.facebook.com/MtGox
Twitter: https://twitter.com/MtGox
Phone: +81345501529
E-mail: info@mtgox.com
Country: Japan
City: Tokyo
Street: Round Cross Shibuya 5F

Why not call them if this was true? FUD FUD FUD FUD FUD FUD FUD FUD FUD

Because they are sleeping, and don't work weekend.
TROLL TROLL TROLL
People like you should be banned from trolling once and for all.

Why are you calling all the people in this thread trolls? Just wanted to help. It seems you are the troll after all.

[ivanc]

Anyway, you don't have a lot of options, right now.
You can throw the IP out for investigation in the deep net, if you have any contact there.
Or you can wait for monday, regain access to your account, and depending on the damage, decide wether it's worth trying to file a complaint or not.
Oh, and before you receive your yubikey, at least go for google auth, as it will stop most script kiddies brutally.

Thanks for the advice, really appreciate it since it's the first post of this kind.

[rizzla]

How do you know mtgox database was compromised?

What do you think is more probable: mtgox db compromised or a trojan in your machine?

If you move such quantities of money through mtgox why do you not use 2 factor auth?

[ivanc]

Website: https://mtgox.com/
Facebook: https://www.facebook.com/MtGox
Twitter: https://twitter.com/MtGox
Phone: +81345501529
E-mail: info@mtgox.com
Country: Japan
City: Tokyo
Street: Round Cross Shibuya 5F

Why not call them if this was true? FUD FUD FUD FUD FUD FUD FUD FUD FUD

Because they are sleeping, and don't work weekend.
TROLL TROLL TROLL
People like you should be banned from trolling once and for all.

Why are you calling all the people in this thread trolls? Just wanted to help. It seems you are the troll after all.

You want to help by writing this one line:

"Why not call them if this was true? FUD FUD FUD FUD FUD FUD FUD FUD FUD"

That's a line of a troll, not someone here to help.
A moderator can confirm that.

[tarrant_01]

Can you please define who the "we" is that you keep referring to please?

[ivanc]

How do you know mtgox database was compromised?

What do you think is more probable: mtgox db compromised or a trojan in your machine?

If you move such quantities of money through mtgox why do you not use 2 factor auth?

If it was a trojan on a machine, the attacker wouldn't even bother requesting for an email reset.
Please read the full message and know what you're talking about before posting stupidities.

[ivanc]

Can you please define who the "we" is that you keep referring to please?

It's a company account, hence "we". How does this help?
Trolling?
Totally unrelated to the topic, again.

[Moebius327]

This guy 
From here: https://bitcointalk.org/index.php?topic=219284.msg2308485#msg2308485

OP:

Hi,
hxxp://mtgox.de and hxxp://mtgox.org are SCAM websites.
Do not download any EXE, they are virus.

OP:

Did Mtgox confirm it was a scam?
I don't think they did.

[ivanc]

How do you know mtgox database was compromised?

What do you think is more probable: mtgox db compromised or a trojan in your machine?

If you move such quantities of money through mtgox why do you not use 2 factor auth?

If it was a trojan on a machine, the attacker wouldn't even bother requesting for an email reset.
Please read the full message and know what you're talking about before posting stupidities.

You have ZERO room to call out posting stupidities. I certainly wouldn't announce that I was making $10K EYR transfers on this forum.

How is this related to the topic? How would you use such information? The forum doesn't even have a usable IP address.
Please respond with facts.

[rizzla]

How do you know mtgox database was compromised?

What do you think is more probable: mtgox db compromised or a trojan in your machine?

If you move such quantities of money through mtgox why do you not use 2 factor auth?

If it was a trojan on a machine, the attacker wouldn't even bother requesting for an email reset.
Please read the full message and know what you're talking about before posting stupidities.

Maybe it was your email account that was compromised then.

[bigdude]

Hello,

It seems that there is an attack going on right now on MtGox from attackers in Poland. The timing of the attack is well chosen: MtGox support service is off in the week-end, the account holders cannot contact MtGox, thus leaving the attackers free to withdraw any money they want.


THE SITUATION:

We are an MtGox customer. We use it to transfer relatively large amounts of money.
In the last few weeks, MtGox has surprisingly stopped processing withdrawals, some of our withdrawals have been pending for 3 weeks now. These are international wire transfers. For Euro SEPA transfer, MtGox warns that it could take months to have it processed.  MtGox is blaming a "large backlog". It might or might not be true, this is MtGox after all.

Today, we received an email about a password reset.
Of course, we never initiated this password reset. MtGox mentions the IP address of the attacker in the password reset email: 178.42.125.117 . This IP address comes from Poland. It seems that the attackers don't even bother using proxies. This request from a IP in Poland didn't worry MtGox, although we consistently access our MtGox account from the UK, and only the UK.

Now, this wouldn't be that worrying, but the thing is we never gave the user ID of our account to anyone or publicly. The only way for an attacker to initiate this password reset would be to have access to the MtGox database.
Furthermore, MtGox sends the password reset email in CLEAR over the internet.

TO SUM UP:

So we have this situation where:
- MtGox doesn't process withdrawals anymore, so all our money sits on the MtGox account.
- MtGox database has been compromised by attackers, presumably in Poland.
- MtGox sends password reset emails in clear.
- MtGox customer service is off in the weekend.


THE RESULT:

Now, if an attacker got access to the MtGox database (at the very least they've got the list of user IDs, since they've got ours), he can also put a server in the same colocation areas as MtGox servers, sniffing their traffic, thus the password reset emails and validation code.

This is presumably what the attacker did.

At the moment, we have no access to our account (but surely the attacker has), and we have no way to contact MtGox, even sending them an email to urgently freeze our account is impossible, as they don't work in the weekend. Meanwhile, the attacker is surely enjoying his new bitcoins, since the bitcoin withdrawal system works very well, even in the weekend.

If anyone has any idea how to handle this type of issue, I would be very thankful.

But you have 2-Factor Authentication enabled right???

Then they couldnt get into your account with just your email and password/

Right  

[ivanc]

But you have 2-Factor Authentication enabled right???

Then they couldnt get into your account with just your email and password/

Right  

Granted, that was pretty stupid of us.
We did order a Yubikey, but never arrived.

[Spaceman_Spiff]

Jezus people, how bout trying to help somebody instead of attacking the messenger or calling them stupid when you hear something you don't like   .

[tarrant_01]

Can you please define who the "we" is that you keep referring to please?

It's a company account, hence "we". How does this help?
Trolling?
Totally unrelated to the topic, again.

It was unclear if you were speaking for several account holders that had all received these password resets. It's more clear now that it is only 1 account that you control.  One account comprimised does not equal the Mt. Gox database being comprimised.  If what you were saying is true, then people would need to take some sort of action if possible.  That's how it helps.

[ivanc]

But you have 2-Factor Authentication enabled right???

Then they couldnt get into your account with just your email and password/

Right  

Granted, that was pretty stupid of us.
We did order a Yubikey, but never arrived.

So now it's looking like the reason for the compromise was

1) Announcing to the world you have large amounts of money on GOX

2) No Yubi Key

3) Multiple people with account access

4) Without 2-Factor Authentication


Anyone still think it was GOX?


~BCX~

Complete troll, shown below:

1) It's not possible to link the identity on this forum ("ivanc") to the MtGox account. Dare to show us how? Please provide our account user ID.
2) Yubikey: that's an additional security measure, in the meanwhile it's true we were doing without yubikey
3) unrelated, all the accesses come from one ip address, from our office in London.
4) same as 2)

[ivanc]

Jezus people, how bout trying to help somebody instead of attacking the messenger or calling them stupid when you hear something you don't like   .

Citation needed.
One guy said we could have a trojan. (we don't, but anyway)
This was unrelated to the discussion, since the attacker asked for an email reset, hence the definition of "stupid".

[ivanc]

But you have 2-Factor Authentication enabled right???

Then they couldnt get into your account with just your email and password/

Right  

Granted, that was pretty stupid of us.
We did order a Yubikey, but never arrived.

So now it's looking like the reason for the compromise was

1) Announcing to the world you have large amounts of money on GOX

2) No Yubi Key

3) Multiple people with account access

4) Without 2-Factor Authentication


Anyone still think it was GOX?


~BCX~

Complete troll, shown below:

1) It's not possible to link the identity on this forum ("ivanc") to the MtGox account. Dare to show us how? Please provide our account user ID.
2) Yubikey: that's an additional security measure, in the meanwhile it's true we were doing without yubikey
3) unrelated, all the accesses come from one ip address, from our office in London.
4) same as 2)

Wow, you really are that stupid aren't you.

1) what needs to be explained about a possible inside theft?

2) What needs to be explained about another account holder getting sloppy with the info somewhere else?

The biggest indicator that you are simply spreading FUD is that you want blame MTGOX as loud as you can without even remotely considering it was your stupidity.

BTW, did you notice this thread was moved from the main forum without a redirection?


~BCX~

Sure, we're completely stupid. Very, very dumb (because you said so).
Thanks for not participating in this topic if you have nothing else to say, you need to spare your precious intelligence for other topics.
Much appreciated.

[ivanc]

To be completely honest, it's highly unlikely that we have lost a single dollar here.
The fiat currency is all in "confirmed" status withdrawals, and all the BTC have been withdrawn before the event.

But still, it's possible that this account has been compromised. And i think there was an open balance of a few hundreds (nothing that we would care about, but better than nothing for a polish attacker).
If it has been compromised, it is quite an interesting attack, since it implies getting your hands on MtGox database (at least the user ID or emails list) and being able to sniff their servers traffic in their Florida colocation.


I'm reposting a message from another user who apparently had the same issue today: https://bitcointalk.org/index.php?topic=255644.0

[ivanc]

To be completely honest, it's highly unlikely that we have lost a single dollar here.
The fiat currency is all in "confirmed" status withdrawals, and all the BTC have been withdrawn before the event.

But still, it's possible that this account has been compromised. And i think there was an open balance of a few hundreds (nothing that we would care about, but better than nothing for a polish attacker).

I'm reposting a message from another user who apparently had the same issue today: https://bitcointalk.org/index.php?topic=255644.0

Wow,

Quite convenient that a newbie account created AFTER your initial post has the exact same unconfirmed, unsubstantiated issue as you. Even more convenient is that you find it within an hour of its creation and use it as validation. Even more extraordinary is that this user with only 1 post has the ability to find your moderator buried post.

Give it up, your MTGOX FUD attempt failed and if you aren't attempting to spread FUD, being as stupid as I have pointed out deserves to be ripped off.

The newbie PMed me since he couldn't post on the original topic.
The moderator didn't bury the initial post, as you claim, at all: https://bitcointalk.org/index.php?topic=255661.0
The newbie will surely be able to confirm by providing identification information, once MtGox confirms all these accounts are frozen for investigation.

You're going to feel very stupid, again. (After ignoring all my posts that asked you for facts)
You must be alone in front of your PC, and because you don't make any money, you try to insult via forums people that do. Get a life for the last time, you're not welcome on this topic.

[ivanc]

Do you feel completely stupid now?
You're claiming our posts are complete fake, but you're just a stupid dumb troll.

[indiekiduk]

I was a victim of this same attack today. I woke up to read a password reset email that I didn't request. I can't log in and the password reset link didn't work either. Although it did say in the reset email that Gox's main support days are Monday to Friday I replied to the reset email saying I didn't request it. And they got back to me in about an hour and said: "We apologize for the inconvenience caused. We have disabled the withdrawals on the account and we are investigating further on this. We will keep you updated."

I've seen 2 other forum users that got the same attack here:
https://bitcointalk.org/index.php?topic=178336.msg2721093#msg2721093
And another on reddit.
http://www.reddit.com/r/Bitcoin/comments/1i7ydk/psa_reminder_do_not_store_anything_of_value_at_a/

I think the OP's theory that someone can access Gox's password reset mails has some merit.

My reset was done from Belgium not Poland though:

request was made from:
> IP: 81.246.181.166
> Browser: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15

[shitaifan2013]

there is a german user claiming the same kind of attack:

https://bitcointalk.org/index.php?topic=255532.0

[CurbsideProphet]

Jump on irc, #mtgox, and see if you can get in touch with them that way. 

[wareen]

I was a victim of this same attack today. I woke up to read a password reset email that I didn't request. I can't log in and the password reset link didn't work either. Although it did say in the reset email that Gox's main support days are Monday to Friday I replied to the reset email saying I didn't request it. And they got back to me in about an hour and said: "We apologize for the inconvenience caused. We have disabled the withdrawals on the account and we are investigating further on this. We will keep you updated."

Exact same story here. My account should be safe though thanks to Yubikey. I'm pretty confident that neither my mail server nor my client machine was compromised but of course there's no way to be 100% sure.

I think the OP's theory that someone can access Gox's password reset mails has some merit.

+1

Here the details from my case:

Time: Sat 13 Jul 2013 07:08:17 AM GMT
IP: 173.160.58.186
Browser: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15

[bitcoinplaza]

I was a victim of this same attack today. I woke up to read a password reset email that I didn't request. I can't log in and the password reset link didn't work either. Although it did say in the reset email that Gox's main support days are Monday to Friday I replied to the reset email saying I didn't request it. And they got back to me in about an hour and said: "We apologize for the inconvenience caused. We have disabled the withdrawals on the account and we are investigating further on this. We will keep you updated."

Exact same story here. My account should be safe though thanks to Yubikey. I'm pretty confident that neither my mail server nor my client machine was compromised but of course there's no way to be 100% sure.

I think the OP's theory that someone can access Gox's password reset mails has some merit.

+1

Here the details from my case:

Time: Sat 13 Jul 2013 07:08:17 AM GMT
IP: 173.160.58.186
Browser: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15

+1
Time: Sat 13 Jul 2013 11:24:38 AM GMT
IP: 95.102.170.242
Browser: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15

[mjosephs]

OP is paranoid fuckball.

[indiekiduk]

Just to follow up, after waiting 24 hours after the original password reset was requested, I did a password reset myself and the email came instantly to my own email and was able to get back in and my balance was still there. So I'm assuming (along with another reddit user) they didn't manage to get into the accounts at all, just for some reason Gox deleted the original password of the accounts that got the bulk reset attempt, preventing us from logging in.

If I was as paranoid as the OP I would thing that it could have been part of some price manipulation strategy, since many users were unable to trade for 24 hours, but I guess that's a bit far fetched.

[hdcafe]

FYI,  a chinese user reported a similar issue

https://bitcointalk.org/index.php?topic=255897.0

[bitbully]

My friend had exact same thing happen to him 2 days ago. Reset email arrived and he got locked out of account. Same opera browser idenitifier. He's still waiting to get access back and check his balance.

[Kouye]

No one is losing money, stop spreading FUD

Spreading FUD you are.

Unless you post some form of proof, it's FUD.
~BCX~

Or not ?

[peetah]

I can vouch that this is happening as well.

Exactly as the OP says, except more feedback from the support staff in that they are looking into it, the funds are safe, and they acknowledge that this has affected a number of accounts.