MtGox attack from Poland: accounts compromised

[Moebius327]

Website: https://mtgox.com/
Facebook: https://www.facebook.com/MtGox
Twitter: https://twitter.com/MtGox
Phone: +81345501529
E-mail: info@mtgox.com
Country: Japan
City: Tokyo
Street: Round Cross Shibuya 5F

Why not call them if this was true? FUD FUD FUD FUD FUD FUD FUD FUD FUD

Because they are sleeping, and don't work weekend.
TROLL TROLL TROLL
People like you should be banned from trolling once and for all.

Why are you calling all the people in this thread trolls? Just wanted to help. It seems you are the troll after all.

[1715189029]

1715189029

[1715189029]

1715189029

[ivanc]

Anyway, you don't have a lot of options, right now.
You can throw the IP out for investigation in the deep net, if you have any contact there.
Or you can wait for monday, regain access to your account, and depending on the damage, decide wether it's worth trying to file a complaint or not.
Oh, and before you receive your yubikey, at least go for google auth, as it will stop most script kiddies brutally.

Thanks for the advice, really appreciate it since it's the first post of this kind.

[rizzla]

How do you know mtgox database was compromised?

What do you think is more probable: mtgox db compromised or a trojan in your machine?

If you move such quantities of money through mtgox why do you not use 2 factor auth?

[ivanc]

Website: https://mtgox.com/
Facebook: https://www.facebook.com/MtGox
Twitter: https://twitter.com/MtGox
Phone: +81345501529
E-mail: info@mtgox.com
Country: Japan
City: Tokyo
Street: Round Cross Shibuya 5F

Why not call them if this was true? FUD FUD FUD FUD FUD FUD FUD FUD FUD

Because they are sleeping, and don't work weekend.
TROLL TROLL TROLL
People like you should be banned from trolling once and for all.

Why are you calling all the people in this thread trolls? Just wanted to help. It seems you are the troll after all.

You want to help by writing this one line:

"Why not call them if this was true? FUD FUD FUD FUD FUD FUD FUD FUD FUD"

That's a line of a troll, not someone here to help.
A moderator can confirm that.

[tarrant_01]

Can you please define who the "we" is that you keep referring to please?

[ivanc]

How do you know mtgox database was compromised?

What do you think is more probable: mtgox db compromised or a trojan in your machine?

If you move such quantities of money through mtgox why do you not use 2 factor auth?

If it was a trojan on a machine, the attacker wouldn't even bother requesting for an email reset.
Please read the full message and know what you're talking about before posting stupidities.

[ivanc]

Can you please define who the "we" is that you keep referring to please?

It's a company account, hence "we". How does this help?
Trolling?
Totally unrelated to the topic, again.

[Moebius327]

This guy 
From here: https://bitcointalk.org/index.php?topic=219284.msg2308485#msg2308485

OP:

Hi,
hxxp://mtgox.de and hxxp://mtgox.org are SCAM websites.
Do not download any EXE, they are virus.

OP:

Did Mtgox confirm it was a scam?
I don't think they did.

[ivanc]

How do you know mtgox database was compromised?

What do you think is more probable: mtgox db compromised or a trojan in your machine?

If you move such quantities of money through mtgox why do you not use 2 factor auth?

If it was a trojan on a machine, the attacker wouldn't even bother requesting for an email reset.
Please read the full message and know what you're talking about before posting stupidities.

You have ZERO room to call out posting stupidities. I certainly wouldn't announce that I was making $10K EYR transfers on this forum.

How is this related to the topic? How would you use such information? The forum doesn't even have a usable IP address.
Please respond with facts.

[rizzla]

How do you know mtgox database was compromised?

What do you think is more probable: mtgox db compromised or a trojan in your machine?

If you move such quantities of money through mtgox why do you not use 2 factor auth?

If it was a trojan on a machine, the attacker wouldn't even bother requesting for an email reset.
Please read the full message and know what you're talking about before posting stupidities.

Maybe it was your email account that was compromised then.

[bigdude]

Hello,

It seems that there is an attack going on right now on MtGox from attackers in Poland. The timing of the attack is well chosen: MtGox support service is off in the week-end, the account holders cannot contact MtGox, thus leaving the attackers free to withdraw any money they want.


THE SITUATION:

We are an MtGox customer. We use it to transfer relatively large amounts of money.
In the last few weeks, MtGox has surprisingly stopped processing withdrawals, some of our withdrawals have been pending for 3 weeks now. These are international wire transfers. For Euro SEPA transfer, MtGox warns that it could take months to have it processed.  MtGox is blaming a "large backlog". It might or might not be true, this is MtGox after all.

Today, we received an email about a password reset.
Of course, we never initiated this password reset. MtGox mentions the IP address of the attacker in the password reset email: 178.42.125.117 . This IP address comes from Poland. It seems that the attackers don't even bother using proxies. This request from a IP in Poland didn't worry MtGox, although we consistently access our MtGox account from the UK, and only the UK.

Now, this wouldn't be that worrying, but the thing is we never gave the user ID of our account to anyone or publicly. The only way for an attacker to initiate this password reset would be to have access to the MtGox database.
Furthermore, MtGox sends the password reset email in CLEAR over the internet.

TO SUM UP:

So we have this situation where:
- MtGox doesn't process withdrawals anymore, so all our money sits on the MtGox account.
- MtGox database has been compromised by attackers, presumably in Poland.
- MtGox sends password reset emails in clear.
- MtGox customer service is off in the weekend.


THE RESULT:

Now, if an attacker got access to the MtGox database (at the very least they've got the list of user IDs, since they've got ours), he can also put a server in the same colocation areas as MtGox servers, sniffing their traffic, thus the password reset emails and validation code.

This is presumably what the attacker did.

At the moment, we have no access to our account (but surely the attacker has), and we have no way to contact MtGox, even sending them an email to urgently freeze our account is impossible, as they don't work in the weekend. Meanwhile, the attacker is surely enjoying his new bitcoins, since the bitcoin withdrawal system works very well, even in the weekend.

If anyone has any idea how to handle this type of issue, I would be very thankful.

But you have 2-Factor Authentication enabled right???

Then they couldnt get into your account with just your email and password/

Right  

[ivanc]

But you have 2-Factor Authentication enabled right???

Then they couldnt get into your account with just your email and password/

Right  

Granted, that was pretty stupid of us.
We did order a Yubikey, but never arrived.

[Spaceman_Spiff]

Jezus people, how bout trying to help somebody instead of attacking the messenger or calling them stupid when you hear something you don't like   .

[tarrant_01]

Can you please define who the "we" is that you keep referring to please?

It's a company account, hence "we". How does this help?
Trolling?
Totally unrelated to the topic, again.

It was unclear if you were speaking for several account holders that had all received these password resets. It's more clear now that it is only 1 account that you control.  One account comprimised does not equal the Mt. Gox database being comprimised.  If what you were saying is true, then people would need to take some sort of action if possible.  That's how it helps.

[ivanc]

But you have 2-Factor Authentication enabled right???

Then they couldnt get into your account with just your email and password/

Right  

Granted, that was pretty stupid of us.
We did order a Yubikey, but never arrived.

So now it's looking like the reason for the compromise was

1) Announcing to the world you have large amounts of money on GOX

2) No Yubi Key

3) Multiple people with account access

4) Without 2-Factor Authentication


Anyone still think it was GOX?


~BCX~

Complete troll, shown below:

1) It's not possible to link the identity on this forum ("ivanc") to the MtGox account. Dare to show us how? Please provide our account user ID.
2) Yubikey: that's an additional security measure, in the meanwhile it's true we were doing without yubikey
3) unrelated, all the accesses come from one ip address, from our office in London.
4) same as 2)

[ivanc]

Jezus people, how bout trying to help somebody instead of attacking the messenger or calling them stupid when you hear something you don't like   .

Citation needed.
One guy said we could have a trojan. (we don't, but anyway)
This was unrelated to the discussion, since the attacker asked for an email reset, hence the definition of "stupid".

[ivanc]

But you have 2-Factor Authentication enabled right???

Then they couldnt get into your account with just your email and password/

Right  

Granted, that was pretty stupid of us.
We did order a Yubikey, but never arrived.

So now it's looking like the reason for the compromise was

1) Announcing to the world you have large amounts of money on GOX

2) No Yubi Key

3) Multiple people with account access

4) Without 2-Factor Authentication


Anyone still think it was GOX?


~BCX~

Complete troll, shown below:

1) It's not possible to link the identity on this forum ("ivanc") to the MtGox account. Dare to show us how? Please provide our account user ID.
2) Yubikey: that's an additional security measure, in the meanwhile it's true we were doing without yubikey
3) unrelated, all the accesses come from one ip address, from our office in London.
4) same as 2)

Wow, you really are that stupid aren't you.

1) what needs to be explained about a possible inside theft?

2) What needs to be explained about another account holder getting sloppy with the info somewhere else?

The biggest indicator that you are simply spreading FUD is that you want blame MTGOX as loud as you can without even remotely considering it was your stupidity.

BTW, did you notice this thread was moved from the main forum without a redirection?


~BCX~

Sure, we're completely stupid. Very, very dumb (because you said so).
Thanks for not participating in this topic if you have nothing else to say, you need to spare your precious intelligence for other topics.
Much appreciated.

[ivanc]

To be completely honest, it's highly unlikely that we have lost a single dollar here.
The fiat currency is all in "confirmed" status withdrawals, and all the BTC have been withdrawn before the event.

But still, it's possible that this account has been compromised. And i think there was an open balance of a few hundreds (nothing that we would care about, but better than nothing for a polish attacker).
If it has been compromised, it is quite an interesting attack, since it implies getting your hands on MtGox database (at least the user ID or emails list) and being able to sniff their servers traffic in their Florida colocation.


I'm reposting a message from another user who apparently had the same issue today: https://bitcointalk.org/index.php?topic=255644.0

[ivanc]

To be completely honest, it's highly unlikely that we have lost a single dollar here.
The fiat currency is all in "confirmed" status withdrawals, and all the BTC have been withdrawn before the event.

But still, it's possible that this account has been compromised. And i think there was an open balance of a few hundreds (nothing that we would care about, but better than nothing for a polish attacker).

I'm reposting a message from another user who apparently had the same issue today: https://bitcointalk.org/index.php?topic=255644.0

Wow,

Quite convenient that a newbie account created AFTER your initial post has the exact same unconfirmed, unsubstantiated issue as you. Even more convenient is that you find it within an hour of its creation and use it as validation. Even more extraordinary is that this user with only 1 post has the ability to find your moderator buried post.

Give it up, your MTGOX FUD attempt failed and if you aren't attempting to spread FUD, being as stupid as I have pointed out deserves to be ripped off.

The newbie PMed me since he couldn't post on the original topic.
The moderator didn't bury the initial post, as you claim, at all: https://bitcointalk.org/index.php?topic=255661.0
The newbie will surely be able to confirm by providing identification information, once MtGox confirms all these accounts are frozen for investigation.

You're going to feel very stupid, again. (After ignoring all my posts that asked you for facts)
You must be alone in front of your PC, and because you don't make any money, you try to insult via forums people that do. Get a life for the last time, you're not welcome on this topic.

[ivanc]

Do you feel completely stupid now?
You're claiming our posts are complete fake, but you're just a stupid dumb troll.