Bitcoin Forum
July 20, 2018, 07:14:02 PM *
News: Latest stable version of Bitcoin Core: 0.16.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: 1 2 3 4 5 6 7 8 9 [All]
  Print  
Author Topic: MtGox account compromised  (Read 110066 times)
cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
January 31, 2011, 09:24:27 PM
 #1

I'm freaking out.  I just checked my mtgox account and all my bitcoins are gone.  It's says they were withdrawn to paypal.  I think it got hacked.  Anybody else?
fair bitcoin games | pvp - pve - solo pve games | faucet |
Free satoshi code btcoon500
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1532114042
Hero Member
*
Offline Offline

Posts: 1532114042

View Profile Personal Message (Offline)

Ignore
1532114042
Reply with quote  #2

1532114042
Report to moderator
1532114042
Hero Member
*
Offline Offline

Posts: 1532114042

View Profile Personal Message (Offline)

Ignore
1532114042
Reply with quote  #2

1532114042
Report to moderator
1532114042
Hero Member
*
Offline Offline

Posts: 1532114042

View Profile Personal Message (Offline)

Ignore
1532114042
Reply with quote  #2

1532114042
Report to moderator
Garrett Burgwardt
Sr. Member
****
Offline Offline

Activity: 476
Merit: 251


View Profile
January 31, 2011, 09:25:20 PM
 #2

I have all my bitcoins and USD, all .11 and .49 respectively. I hope that you weren't hacked - how much did you have?
Garrett Burgwardt
Sr. Member
****
Offline Offline

Activity: 476
Merit: 251


View Profile
January 31, 2011, 09:29:02 PM
 #3

That sucks man, I hope you get your coins back. Looks like the price was lowered again - I checked the mega chart and the .9 range sales seem to be missing.
rebuilder
Legendary
*
Offline Offline

Activity: 1618
Merit: 1000



View Profile
January 31, 2011, 09:30:47 PM
 #4

mike: I don't think that's really possible. Due to its very nature Bitcoin is likely to be used for a lot of transactions where people don't exactly want to advertise that they're buying something. Voluntary reporting systems would therefore be too inaccurate.

cryptofo: "withdrawn to Paypal"? Literally? That makes little sense for two reasons - Paypal doesn't support Bitcoins,  and AFAIK Mt. Gox doesn't support Paypal.

Selling out to advertisers shows you respect neither yourself nor the rest of us.
---------------------------------------------------------------
Too many low-quality posts? Mods not keeping things clean enough? Self-moderated threads let you keep signature spammers and trolls out!
cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
January 31, 2011, 09:33:17 PM
 #5

I know totally, I'm freaking out.  Can I print screen shots?  It looks like someone got into my account sold all my bitcoins and then somehow withdrew them through paypal.  AAjhhhhhh
Garrett Burgwardt
Sr. Member
****
Offline Offline

Activity: 476
Merit: 251


View Profile
January 31, 2011, 09:35:28 PM
 #6

Just take a screenshot and post it, I'm interested.

http://graphicssoft.about.com/cs/general/ht/winscreenshot.htm
cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
January 31, 2011, 09:49:12 PM
 #7

I tried to post it, but it said it was too big so I uploaded it here.

http://www.urbanethanol.com/wp-content/uploads/2011/01/bitcoins.jpg
cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
January 31, 2011, 09:53:22 PM
 #8

This is crazy, I would think if someone hacked my account they would just send themself my bitcoins, but they actually sold them then withdrew money in a way that you can't withdraw through paypal.  Worse they sold them when they were at .42. 
cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
January 31, 2011, 09:55:47 PM
 #9

this is the email I just got from someone at mtgox:

Looks like you sold them and sent them to Liberty reserve account: U0764959

On Mon, Jan 31, 2011 at 4:45 PM,  <xx> wrote:

[Hide Quoted Text]
xx

Quoting Jed McCaleb <admin@mtgox.com>:
What is your username?

On Mon, Jan 31, 2011 at 4:22 PM,  <xx> wrote:

I just logged into mtgox and all my bitcoins are gone.  I'm freaking out.
 What happened, please respond.
Anonymous
Guest

January 31, 2011, 09:56:51 PM
 #10

This is crazy, I would think if someone hacked my account they would just send themself my bitcoins, but they actually sold them then withdrew money in a way that you can't withdraw through paypal.  Worse they sold them when they were at .42. 

mt gox doesnt do paypal withdrawals.
Cryptoman
Hero Member
*****
Offline Offline

Activity: 723
Merit: 500



View Profile
January 31, 2011, 09:58:32 PM
 #11

How strong was your password?  Does anyone else who has a clue about Bitcoin have access to your computer?

"A small body of determined spirits fired by an unquenchable faith in their mission can alter the course of history." --Gandhi
cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
January 31, 2011, 10:12:39 PM
 #12

No one has access to my computer, but my password wasn't very strong.  It looks like it came from this ip address 77.222.42.204 from st. petersberg russia.
cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
January 31, 2011, 10:15:32 PM
 #13

Mtgox just told me someone was running a dictionary attack. 
superbitcoin
Newbie
*
Offline Offline

Activity: 9
Merit: 0


View Profile
January 31, 2011, 10:32:53 PM
 #14

Account Information

Account Number U0764959

Account Name Cyber

Account Type User

Created On 11/22/2010 02:41

Balance (USD) hidden

Balance (Euro) hidden

Balance (Gold Grams) hidden
cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
January 31, 2011, 10:40:51 PM
 #15

I'm so depressed, imagine my surprise to log in and see that the price had almost doubled then to realize my bitcoins were gone.  Almost funny when you think about it.
Garrett Burgwardt
Sr. Member
****
Offline Offline

Activity: 476
Merit: 251


View Profile
January 31, 2011, 10:48:02 PM
 #16

It's possible that the owners of the two sites might be able to fix it, I'm not sure. They're not irreversible like bitcoin transactions, so it might happen.
randomguy7
Hero Member
*****
Offline Offline

Activity: 528
Merit: 500


View Profile
January 31, 2011, 10:58:38 PM
 #17

I'm still worried about the suddenly disappearing entries in the orders book. There also was an entry with price 'NaN' (not a number) which could indicates a bug in data validation.
About the dictionary attack: protecting the login using a captcha might be a good idea but in my opinion doesn't replace a good password (12+ chars, good entropy).

Btw, this is my first post. Hi everybody Smiley
kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1000


View Profile
February 01, 2011, 12:35:06 AM
 #18

My account have nothing to attack.  Wink

Garrett Burgwardt
Sr. Member
****
Offline Offline

Activity: 476
Merit: 251


View Profile
February 01, 2011, 12:49:01 AM
 #19

Yeah, I specifically don't keep anything in my mtgox account because it seems insecure, same reason I don't trust mybitcoin. I keep my own computer secured, and past that, so if I keep my wallet on my computer and have an encrypted backup, I should be good.
Anonymous
Guest

February 01, 2011, 01:00:21 AM
 #20

Unless every password looks something like this one you'll be vulnerable.  Smiley

k[vUOK1=p9y2'P4y(6,]dx1=\#\Qm1BPI@c{{D+fOvGr~tww4^Yfl/CiP%N|WWE%uuJ\(|$$9,p%,5eIm"nk'I%P79P=*>d&'Sb.ihiDyqfETkyG.%Jl3gmZ]/W2R;<<3~iZoe1)ND;S}$Ds2D`(ejDZ$!pk4M]13hWsMxZ#DCK5]~PXYpzJtVbkxyKr;x=;uc9P""8$S.JZXlXB%EOXN%5W"8D&9ZqYin'6wX`t.nzVGA1!


vladamir is right. Keepass is easy to use .
Garrett Burgwardt
Sr. Member
****
Offline Offline

Activity: 476
Merit: 251


View Profile
February 01, 2011, 01:08:49 AM
 #21

True, but I'm not worth attacking. Somone intent on stealing bitcoins would go after mtgox and mybitcoin accounts before trying to find me.
caveden
Legendary
*
Offline Offline

Activity: 1106
Merit: 1000



View Profile
February 01, 2011, 08:05:31 AM
 #22

2. Google keepass, download install (on clean system), use.
3. If you can remember a password it is too weak. Generate all your passwords, do not reuse the passwords.

Okay, but then you need to store your passwords somewhere, and you'll want to encrypt them... then you need a password-protected key... in a moment you'll have to remember one good password at least...

But yeah, having generated password for sites seems a good idea...

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
caveden
Legendary
*
Offline Offline

Activity: 1106
Merit: 1000



View Profile
February 01, 2011, 08:08:46 AM
 #23

mtgox should not have allowed dictionary attacks to take place. Ask them to sort this out for you.

Normally security-sensitive sites like banks block an account after a number of unsuccessful login attempts, and then require some sort of positive identification to unblock.
Another interesting thing is doing like facebook, which asks several questions each time you login form an "unusual" IP... it would probably be useless for Tor users as they would not have an "usual" IP in the first place, but it's something.

These things are annoying but it's quite less annoying than having your account stolen like that...

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
tcatm
Sr. Member
****
Offline Offline

Activity: 337
Merit: 250


View Profile
February 01, 2011, 08:11:37 AM
 #24

Offtopic: For easy to remember and secure passwords https://www.pwdhash.com/ works pretty good. There are browser extensions for most browsers.
Mike Hearn
Legendary
*
Offline Offline

Activity: 1526
Merit: 1005


View Profile
February 01, 2011, 09:57:05 AM
 #25

MtGox could/should also implement Facebook/Google logins. These companies provide "industrial strength" authentication systems that are secure against things like dictionary attacks, password theft etc. Might as well reuse their investment.
ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1003


View Profile
February 01, 2011, 10:24:56 AM
 #26

MtGox could/should also implement Facebook/Google logins.

Good idea. OpenID, in other words.

Google even offers two-factor authentication to some of its users (password plus mobile phone confirmation).
bitdragon
Hero Member
*****
Offline Offline

Activity: 609
Merit: 500


peace


View Profile WWW
February 01, 2011, 10:57:03 AM
 #27

please explain as many are more proficient than myself in this area:
using facebook login? that is the facebook connect thing? so that you could login to mtgox using fb credentials? doesn't sound very appealing... does that mean that :
a) fb can login to your mtgox as they authenticate your credentials?
b) prone to censorship if fb decides a site is no good and does not let you login?
c) same password for all sites, thus you compromise all accounts if one pwd is lost?

thank you for your help in understanding;

Nefario
Hero Member
*****
Offline Offline

Activity: 602
Merit: 500


GLBSE Support support@glbse.com


View Profile WWW
February 01, 2011, 11:00:12 AM
 #28

MtGox could/should also implement Facebook/Google logins.

Good idea. OpenID, in other words.

Google even offers two-factor authentication to some of its users (password plus mobile phone confirmation).

Or he should not use passwords at all an use gpgauth.

http://www.curetheitch.com/projects/gpgauth/

Right now there is no working plugin for browser but there should be soon, from what I have read. It is also not just a technology, program but a process, protocol for authentication.

Password based authentication has many weaknesses, a move to keypair based authentication is the better thing to do. Then things like dictionary attacks, stealing passwords after breaking in, and rainbow attacks, and storing passwords will not be a problem.

Any news from mtgox and getting his bitcoins back?

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
mtgox
Full Member
***
Offline Offline

Activity: 185
Merit: 102


View Profile WWW
February 01, 2011, 11:32:44 AM
 #29


> Any news from mtgox and getting his bitcoins back?

Yeah it is unfortunate. I've contacted Liberty Reserve about it. I fixed it so they can't use this attack anymore. I think his and one other account (I've emailed you) were the only two compromised. Anyone with a decent password would be safe.

Mike Hearn
Legendary
*
Offline Offline

Activity: 1526
Merit: 1005


View Profile
February 01, 2011, 12:18:45 PM
 #30

please explain as many are more proficient than myself in this area:
using facebook login? that is the facebook connect thing? so that you could login to mtgox using fb credentials? doesn't sound very appealing... does that mean that :
a) fb can login to your mtgox as they authenticate your credentials?
b) prone to censorship if fb decides a site is no good and does not let you login?
c) same password for all sites, thus you compromise all accounts if one pwd is lost?

thank you for your help in understanding;

a) Yes

b) Yes

c) Yes

However, a lot of account hijacking takes place because third party sites are compromised. Facebook is very, very unlikely to be hacked in the same way that MtGox or PlentyOfFish is hacked. If you have a robust password and use a major ID provider to log into sites with, you're at risk of malware and maybe if you don't pay attention phishing, but otherwise you won't be hit by third party site breakins. That's what you want.

Of course you can also create a new password for every single website, but most people don't do that, it's too inconvenient.
slush
Legendary
*
Offline Offline

Activity: 1372
Merit: 1019



View Profile WWW
February 01, 2011, 12:28:50 PM
 #31

Facebook is very, very unlikely to be hacked in the same way that MtGox or PlentyOfFish is hacked.

I'm not paranoic, but don't trust anyone's security just because it's big player. Facebook logins can be hacked, too. Personally I also use facebook login to some pages, but I'll think twice to use it for my bank account login (which mtgox is)...

ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1003


View Profile
February 01, 2011, 12:37:58 PM
 #32

c) same password for all sites, thus you compromise all accounts if one pwd is lost?
Yes, although in practice most people already compromise (almost) all accounts if they lose the password to their email account, due to the easy availability of password reminder/reset facilities.

A bank does need something more than most other sites. I would be happy to pay a fee to have two-factor authentication on my MtGox account.
sirius
Bitcoiner
Sr. Member
****
Offline Offline

Activity: 429
Merit: 251



View Profile
February 01, 2011, 12:57:48 PM
 #33

A bank does need something more than most other sites. I would be happy to pay a fee to have two-factor authentication on my MtGox account.

My bank snail mails lists of 300 one-use keys you need when logging in. A quicker but perhaps more expensive option is to send the keys in SMS.

Identifi - Decentralized address book with trust ratings
I'm not a forum admin - please contact theymos instead.
barbarousrelic
Hero Member
*****
Offline Offline

Activity: 675
Merit: 500


View Profile
February 01, 2011, 01:27:11 PM
 #34

So were the hacked accounts and the extremely high-value Bitcoin transactions related or not?

Do not waste your time debating whether Bitcoin can work. It does work.

"Early adopters will profit" is not a sufficient condition to classify something as a pyramid or Ponzi scheme. If it was, Apple and Microsoft stock are Ponzi schemes.

There is no such thing as "market manipulation." There is only buying and selling.
ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1003


View Profile
February 01, 2011, 01:31:09 PM
 #35

So were the hacked accounts and the extremely high-value Bitcoin transactions related or not?
It seems unlikely, because the hacker apparently sold bitcoins. This would have tended to lower the MtGox price, not raise it.
Nefario
Hero Member
*****
Offline Offline

Activity: 602
Merit: 500


GLBSE Support support@glbse.com


View Profile WWW
February 01, 2011, 01:31:39 PM
 #36

A bank does need something more than most other sites. I would be happy to pay a fee to have two-factor authentication on my MtGox account.

My bank snail mails lists of 300 one-use keys you need when logging in. A quicker but perhaps more expensive option is to send the keys in SMS.

An application for your mobile phone that generates a lot of one time passwords, and then encrypts using the servers public key and sends the list to the server to be used. You can then use the passwords when you need, as long as you don't lose your phone.

But I think authentication using public/private keys is better, as long as you don't lose your key or let it get compromised.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
sandos
Sr. Member
****
Offline Offline

Activity: 310
Merit: 250



View Profile
February 01, 2011, 02:19:21 PM
 #37

When was this bruteforcing done? I have a weird (I think) transaction on my mt gox account:

Code:
When            Type           Description Delta BTC Delta USD Total BTC Total USD
01/24/11 00:17 Payment Process   united         0 0         0          0

     ███▄▄  ▄▄███
██▄▄   ▀▀████▀▀   ▄▄██
 ▀▀███▄▄      ▄▄███▀▀
█▄▄  ▀▀███▄▄███▀▀
█████▄▄  ▀▀▀▀  ▄▄
██  ▀▀███▄▄▄▄███▀
██      ▀▀██▀▀     ▄▄▄
██   ▄▄        ▄▄███▀▀
██   ▀███▄▄▄▄███▀▀
██▄     ▀▀██▀▀     ▄▄▄
▀▀███▄▄        ▄▄███▀▀
    ▀▀███▄▄▄▄███▀▀
        ▀▀██▀▀
graIn..
.
The Backbone of
Modern Work Agreements.
███████████████
████▀▀▀▀▀▀▀▀▀▀▀
████ ██████████████████
████ ██
████ ██
████ ██
████ ██
████
████
████
████


█████████████   █████

Whitepaper
.
█████   █████████████


████
████
████
████
██ ████
██ ████
██ ████
██ ████
██████████████████ ████
▄▄▄▄▄▄▄▄▄▄▄████
███████████████
riX
Sr. Member
****
Offline Offline

Activity: 328
Merit: 250



View Profile
February 01, 2011, 04:02:59 PM
 #38

When was this bruteforcing done? I have a weird (I think) transaction on my mt gox account:

Code:
When            Type           Description Delta BTC Delta USD Total BTC Total USD
01/24/11 00:17 Payment Process   united         0 0         0          0

Me too: (Where it says "Withdraw Paypal" I actually withdrew some LRUSD to Liberty Reserve..)

Code:
When Type Description Delta BTC Delta USD Total BTC Total USD
01/30/11 18:54 Withdraw Paypal U------- 0 -x.x x.x x.x
01/30/11 --:-- Sold BTC xxx.xx for 0.xxxx -x.x x.x x.x x.x
01/30/11 --:-- Sold BTC xxx.xx for 0.xxxx -x.x x.x x.x x.x
01/24/11 15:00 Payment Process united 0 0 x.x x.x
01/24/11 00:17 Payment Process united 0 0 x.x x.x
01/23/11 --:-- Withdraw BTC --- -x.x 0 x.x x.x

Sorry, I can't help you with your lost password.

PGP key: 0x9F31802C79642F25
Anonymous
Guest

February 01, 2011, 04:05:23 PM
 #39

Alright, who do we go to for an accurate exchange rate now?
Astro
Sr. Member
****
Offline Offline

Activity: 276
Merit: 250



View Profile
February 01, 2011, 05:00:44 PM
 #40

Any site that stores or trades bitcoins should implement the option of some kind of security token or OTP technology.  I've had good success with Yubikeys.

http://www.yubico.com/yubikey
fabianhjr
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


Do The Evolution


View Profile
February 01, 2011, 05:48:15 PM
 #41

Captcha is better than nothing. Do the ad ones and make a few pennies off the hackers.

Store a column on the table for failed attempts. If the count > 5 then require a captcha with the password. On a successful login, reset the count.

If the count say, gets over 50, lock the account for verification, or run a cron to reset it on a daily basis.

Another flag inside the account when they first login could show these hack attempts, something along the lines of "57 attempts to login to your account were done prior to this login from IP: " etc... TOR IP's of course won't be very helpful.

Last log in from IP can also be helpful if people pay attention to it and normally login from a similar address.

None of that makes it bullet proof, but it certainly makes it easier to quickly spot an issue. Needless to say, your password shouldn't be password for something that stores money in it.

You _never_ lock based on an accunt. You _lock_ based on an IP address the request came from.(Look into the account lockout denial of service attack)

ElectricGoat
Jr. Member
*
Offline Offline

Activity: 42
Merit: 0


View Profile WWW
February 01, 2011, 05:53:56 PM
 #42

You _never_ lock based on an accunt. You _lock_ based on an IP address the request came from.(Look into the account lockout denial of service attack)

Locking an IP doesn't protect against distributed attacks. A temporary lock of the account seems preferable to a loss of hundreds of bitcoins. Simply locking an account for one minute makes it horribly slow to try a brute force attack.

Art experiment with bitcoins: http://greta.electricgoat.net
fabianhjr
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


Do The Evolution


View Profile
February 01, 2011, 06:05:13 PM
 #43

What if my goal is just to stop you for participating in the market? If I just want to kick you I just let some bruteforcers on forever and you would never be able to enter again. Even if it is just 1 minute, then in 0.000001 seconds you are blocked again and again and again. :/

ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1003


View Profile
February 01, 2011, 06:13:31 PM
 #44

Simply locking an account for one minute makes it horribly slow to try a brute force attack.
No, that doesn't work. Instead of trying 100,000 passwords on one account, the attacker simply tries one password on 100,000 accounts. Same chance of success.
DarkMatter
Member
**
Offline Offline

Activity: 86
Merit: 10


Stop breeding! Save the Earth! www.vhemt.org


View Profile WWW
February 01, 2011, 06:21:25 PM
 #45

Hi everyone,
I'm sorry for not introducing me before, but guess we have much more important things to talk about right now.
Considering the actual situation (I'm sorry for the user using a common dictionary word as his "bank" account password, and mtgox not having any dictionary attack protection implementation ... ), I just noticed a great drop of the BTC available for free at http://freebitcoins.appspot.com. It dropped about 300BTC in 36hrs. Should we worry?

Feed The Troll!! | 1JKdTyUjxo5VJoaQKjp4oUnXqdSSErC1mp
Hal
VIP
Sr. Member
*
Offline Offline

Activity: 314
Merit: 367



View Profile
February 01, 2011, 06:24:42 PM
 #46

Now I'm paranoid. I just tried to login to mtgox from my iPad and got an invalid certificate error. The issuer is certificates.godaddy.com. Has anyone else gotten this? I suspect it is a misconfiguration of the mtgox server a la http://blog.boxedice.com/2009/05/11/godaddy-ssl-certificates-and-cannot-verify-identity-on-macsafari/.

Hal Finney
LZ
Legendary
*
Offline Offline

Activity: 1736
Merit: 1018


P2P Cryptocurrency


View Profile
February 01, 2011, 06:46:19 PM
 #47

I can not find my orders in the Depth Table! Does anybody else? Undecided

kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1000


View Profile
February 01, 2011, 06:50:11 PM
 #48

Code:
01/24/11 00:16 Payment Process united 0 0 0.003 0
It seem that I'll have to change my security practice too.

ElectricGoat
Jr. Member
*
Offline Offline

Activity: 42
Merit: 0


View Profile WWW
February 01, 2011, 06:51:35 PM
 #49

No, that doesn't work. Instead of trying 100,000 passwords on one account, the attacker simply tries one password on 100,000 accounts. Same chance of success.
Of course, it shouldn't be the only security measure, but that's a very helpful one. Trying a password on 100k accounts is slighly more difficult, because you need 100k user names.

Art experiment with bitcoins: http://greta.electricgoat.net
nelisky
Legendary
*
Offline Offline

Activity: 1540
Merit: 1000


View Profile
February 01, 2011, 06:58:32 PM
 #50

Code:
01/24/11 00:16 Payment Process united 0 0 0.003 0
It seem that I'll have to change my security practice too.
Code:
01/24/11 00:16 Payment Process united 0 0 -0.002 0.005

Don't we all... funny how the times are sync'd though.
LZ
Legendary
*
Offline Offline

Activity: 1736
Merit: 1018


P2P Cryptocurrency


View Profile
February 01, 2011, 07:01:47 PM
 #51

Yeah, what is that?
Code:
01/24/11 14:51 Payment Process united
01/24/11 00:16 Payment Process united

kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1000


View Profile
February 01, 2011, 07:02:25 PM
 #52

Don't we all... funny how the times are sync'd though.

Well, I didn't have a dictionary password. I used numbers, and a symbol. Maybe it wasn't long enough? In any case, this is a terrible thing to happen.

kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1000


View Profile
February 01, 2011, 07:09:12 PM
 #53

Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised.

DarkMatter
Member
**
Offline Offline

Activity: 86
Merit: 10


Stop breeding! Save the Earth! www.vhemt.org


View Profile WWW
February 01, 2011, 07:11:17 PM
 #54

Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised.

That's the problem. As you have already stated, this was not a "weak password" hack.
Guess Vladimir is wrong. Could the whole MtGox platform be compromised? Looks so.

[edit]
A brute force/dictionary attack would lead to many "errors" in the platform log.
You are logging failed login attempts, right MtGox?
[/edit]

Feed The Troll!! | 1JKdTyUjxo5VJoaQKjp4oUnXqdSSErC1mp
nelisky
Legendary
*
Offline Offline

Activity: 1540
Merit: 1000


View Profile
February 01, 2011, 07:12:49 PM
 #55

Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised.

I'm no security expert nor am I knowledgeable of mtgox's code, but as a coder when I see my account being stripped of 0.005 coins, which you can't see on the UI unless you look at history and do some math... well, it sounds like the actual server was compromised and DB's scraped.

Just saying.
kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1000


View Profile
February 01, 2011, 07:15:55 PM
 #56

MtGox said that the event on 1/24 was people merely accessing my account for name.

In other words, it wasn't compromised, maybe?

Even so, I do not feel safe.

DarkMatter
Member
**
Offline Offline

Activity: 86
Merit: 10


Stop breeding! Save the Earth! www.vhemt.org


View Profile WWW
February 01, 2011, 07:17:27 PM
 #57

Have a look at https://mtgox.com/support/tradeAPI
User credentials are passed along in clear text with GET method, not POST method.
That's sad man, anyone able to sniff the server traffic would have all the credentials.


My bad, that's false.
Didn't read the "The following take your Mt Gox username and password as parameters. They must be sent as a POST. " part.

Feed The Troll!! | 1JKdTyUjxo5VJoaQKjp4oUnXqdSSErC1mp
DarkMatter
Member
**
Offline Offline

Activity: 86
Merit: 10


Stop breeding! Save the Earth! www.vhemt.org


View Profile WWW
February 01, 2011, 07:19:33 PM
 #58

Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised.

That's the problem. As you have already stated, this was not a "weak password" hack.
Guess Vladimir is wrong. Could the whole MtGox platform be compromised? Looks so.

I am not wrong, I might be not very well informed  Grin

Yea, it might be worse. Speculating further, in presence of virtually no useful information, just knowing general way how web developers do stuff these days  I would guess that this might be a SQL injection attack, where attacker got to  user auth database and bruteforced  password hashes (probably even using a bunch of 5970 Smiley.

Hopefully, mtgox will come up with a statement and stop all these speculations soon.


Sorry man, didnt meant to treat you bad Tongue
MtGox should put the whole stuff offline before more BTC are stolen.
And then investigate further.

Feed The Troll!! | 1JKdTyUjxo5VJoaQKjp4oUnXqdSSErC1mp
kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1000


View Profile
February 01, 2011, 07:22:36 PM
 #59

I am not wrong, I might be not very well informed  Grin

Yea, it might be worse. Speculating further, in presence of virtually no useful information, just knowing general way how web developers do stuff these days  I would guess that this might be a SQL injection attack, where attacker got to  user auth database and bruteforced  password hashes (probably even using a bunch of 5970 Smiley.

Hopefully, mtgox will come up with a statement and stop all these speculations soon.


Maybe you could start a bitcoin security company in which you certify sites for following security protocols?

theymos
Administrator
Legendary
*
Offline Offline

Activity: 3094
Merit: 3275


View Profile
February 01, 2011, 07:35:01 PM
 #60

User credentials are passed along in clear text with GET method, not POST method.
That's sad man, anyone able to sniff the server traffic would have all the credentials.

POST is also easily-readable plaintext... GET is just visible in the URL. GET parameters are encrypted when using HTTPS.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Cdecker
Hero Member
*****
Offline Offline

Activity: 490
Merit: 503



View Profile WWW
February 01, 2011, 07:43:08 PM
 #61

Just to add another statement: I too am seeing the Payment Process united transaction, with exactly the same time, looks a lot more like a cron job to me. If the database were compromised as some people suggested there would not be any entry, they'd just sent the money off without being so polite as to inform the users where the money went. Same for the platform compromised discussion.

My best guess is that it was in fact a dictionary attack. Could the affected people please share the strength of their password using http://www.passwordmeter.com/ to not publish real passwords on the Forum?

My account doesn't seem to be compromised since it still shows me my dollar balance like I left it a few weeks ago.

Still waiting for an official statement by MtGox Cheesy

Want to see what developers are chatting about? http://bitcoinstats.com/irc/bitcoin-dev/logs/
Bitcoin-OTC Rating
Drifter
Sr. Member
****
Offline Offline

Activity: 367
Merit: 250


View Profile
February 01, 2011, 07:48:41 PM
 #62

My account is one that was compromised. My password is randomly generated and strength is 100% according to that site.

My password is above and beyond safer than necessary. A dictionary attack is very unlikely.

Cdecker
Hero Member
*****
Offline Offline

Activity: 490
Merit: 503



View Profile WWW
February 01, 2011, 07:51:28 PM
 #63

My account is one that was compromised. My password is randomly generated and strength is 100% according to that site.

My password is above and beyond safer than necessary. A dictionary attack is very unlikely.
Next best guess: sniffing traffic. Are you using the HTTP or the HTTPS URL to log in?

Want to see what developers are chatting about? http://bitcoinstats.com/irc/bitcoin-dev/logs/
Bitcoin-OTC Rating
cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 01, 2011, 07:54:09 PM
 #64

Thank you vladimer for your support and kind words from all.  These are the emails to mtgox.

Jeb,
I've contacted Liberty Reserve abuse and recieved their standard shpeal.  I'm really
upset, I've been collecting these bitcoins for over a year.  I think this is unfortunate
because MTGOX is one of the primary sources for liquidity and market price, but this type
of insecurity is a vulnerability to the bitcoin community.  This was not caused by
complete neglegence on my part.  My computer was not compromised.  My username and
password are specific to this site.  This is a specific attack that was directed at
mtgox.  My password may have been weak ( 8 characters, numbers and letters), but it was a
vulnerability on your end that allowed someone to use a dictionary attack.  It is
important to know that mtgox is willing to make their best efforts to reconcile a
compromise of this nature.  If there is anyway you can replace some if not all of the
900+ bitcoins that were stolen from me, I think it would stand as a gesture of support
from mtgox and instill some faith in mtgox from the bitcoin community.


Quoting Jed McCaleb <admin@mtgox.com>:

[Hide Quoted Text]
I'm not sure how they got your username. From the bitcoin forum maybe?
Are you going to make a statement on the bitcoin forum with some  information?
I'm not sure what I would say there. I made the attack impossible now and I don't think anyone else's account was compromised.
Are you going to contact Liberty Reserve?
I can but you should also. The more people complaining about that account the better.



On Mon, Jan 31, 2011 at 6:19 PM,  <XXXXXXXXXXXXX> wrote:
I understand this is somewhat out of your control and I should not have had
a password that started with a, but how did they know my username?  Are you
going to make a statement on the bitcoin forum with some information?  Are
you going to contact Liberty Reserve?

Quoting Jed McCaleb <admin@mtgox.com>:
I checked that IP and that was from the person running the attack. So
he must have guessed your password. I'm sorry...
How do you know someone was running a dictionary attack?
I saw the repeated login attempts. But I changed the login page so
they can't do it now.

Liberty Reserve has a contact form on their site.



On Mon, Jan 31, 2011 at 5:14 PM,  <XXXXXXXXXXXX> wrote:

How do you know someone was running a dictionary attack?  On your end?
 Do
you know how I can get in touch with liberty reserve?

Quoting Jed McCaleb <admin@mtgox.com>:
This will tell you:
http://www.ip2location.com/demo.aspx

Well someone was running a dictionary attack so if your password was
simple he may have gotten it.
You could try writing Liberty Reserve and see if they can help since
they have the money now.
Sorry,
Jed.

On Mon, Jan 31, 2011 at 5:06 PM,  <XXXXXXXXXXXX> wrote:

Anything's possible, this seems like a rather specific attack.  I can't
believe this.  Can you tell where these Ip addresses are?

Quoting Jed McCaleb <admin@mtgox.com>:
Could someone have got your password somehow?

XXX.XXX.64.10
77.222.42.204
XXX.XXX.64.10
XXX.XXX.56.44

These are the IPs that have logged into your account
Jed.

On Mon, Jan 31, 2011 at 4:54 PM,  <XXXXXXXXX> wrote:

Someone hacked my account and did this.

Quoting Jed McCaleb <admin@mtgox.com>:
Looks like you sold them and sent them to Liberty reserve account:
U0764959

On Mon, Jan 31, 2011 at 4:45 PM,  <###########> wrote:

XXXXXXX

Quoting Jed McCaleb <admin@mtgox.com>:
What is your username?

On Mon, Jan 31, 2011 at 4:22 PM,  <##########> wrote:

I just logged into mtgox and all my bitcoins are gone.  I'm
freaking
out.
 What happened, please respond.
DarkMatter
Member
**
Offline Offline

Activity: 86
Merit: 10


Stop breeding! Save the Earth! www.vhemt.org


View Profile WWW
February 01, 2011, 07:55:06 PM
 #65

My account is one that was compromised. My password is randomly generated and strength is 100% according to that site.

My password is above and beyond safer than necessary. A dictionary attack is very unlikely.
Next best guess: sniffing traffic. Are you using the HTTP or the HTTPS URL to log in?

You are automatically redirected to https, just checked.

Feed The Troll!! | 1JKdTyUjxo5VJoaQKjp4oUnXqdSSErC1mp
rebuilder
Legendary
*
Offline Offline

Activity: 1618
Merit: 1000



View Profile
February 01, 2011, 07:56:16 PM
 #66

Whoa, whoa, whoa. Are we sure those odd "united" transactions on the 24th have anything to do with the unauthorized access? I have that too, as pretty much everyone seems to, but haven't lost any BTC or USD. Cryptofo, on the other hand, did have funds stolen, and that happened on the 28th, 4 days later. Everyone who's saying their accounts were compromised, did you lose something or are you referring to the odd transaction on the 24th. I'd like to hear what mtgox has to say on the events on the 24th before concluding those are related to any kind of foul play at all. For all we know it was some kind of cleanup operation related to the rounding errors reported before. I know I had a negative balance on mtgox at some point due to those.

Selling out to advertisers shows you respect neither yourself nor the rest of us.
---------------------------------------------------------------
Too many low-quality posts? Mods not keeping things clean enough? Self-moderated threads let you keep signature spammers and trolls out!
Drifter
Sr. Member
****
Offline Offline

Activity: 367
Merit: 250


View Profile
February 01, 2011, 08:00:27 PM
 #67

I'm only referring to the Jan 24th incident personally. Sorry for the confusion. And yes, I always use HTTPS as you are redirected automatically.

kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1000


View Profile
February 01, 2011, 08:04:48 PM
 #68

I'm only referring to the Jan 24th incident personally. Sorry for the confusion. And yes, I always use HTTPS as you are redirected automatically.

They are merely fishing for names.

fabianhjr
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


Do The Evolution


View Profile
February 01, 2011, 08:06:09 PM
 #69

I have a 7 random(Generated) + a salt of at least 5 chars and I still see an odd transaction. The good thing is that I didn't had any funds at that time. So, anything official about what happened yet?

Cdecker
Hero Member
*****
Offline Offline

Activity: 490
Merit: 503



View Profile WWW
February 01, 2011, 08:07:38 PM
 #70

So until now we have 1 confirmed compromised account (cryptofo) and several other reporting some strange transaction 4 days earlier.

IMHO that transaction has nothing to do with the attack at all. Could cryptofo please check the strength of the used password?

Just trying to keep panic down and get the matter resolved Cheesy

Want to see what developers are chatting about? http://bitcoinstats.com/irc/bitcoin-dev/logs/
Bitcoin-OTC Rating
fabianhjr
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


Do The Evolution


View Profile
February 01, 2011, 08:13:37 PM
 #71

Dunno, maybe you can get a sell on short while you have chance. Tongue

As of the 24th incident it could show that there was indeed a compromise or MtGox checking something.

mtgox
Full Member
***
Offline Offline

Activity: 185
Merit: 102


View Profile WWW
February 01, 2011, 08:20:55 PM
 #72

Almost everyone had transactions from "united". It does NOT mean that your account was compromised. It does mean that the attacker has your username. It was just them using the merchant API to send you 0 BTC.

There were only two accounts that had money stolen from them as far as I can tell.

It was a dictionary attack since I saw it happening.

I plugged the vulnerability that allowed them to run the attack so your weak passwords will be safe again.

I'm still working out with cryptofo if/how to reimburse him.

Ideally Liberty Reserve would help us since they can easily fix the issue. But they don't seem to be cooperating. Anyone have ideas there?

DarkMatter
Member
**
Offline Offline

Activity: 86
Merit: 10


Stop breeding! Save the Earth! www.vhemt.org


View Profile WWW
February 01, 2011, 08:24:41 PM
 #73

Almost everyone had transactions from "united". It does NOT mean that your account was compromised. It does mean that the attacker has your username. It was just them using the merchant API to send you 0 BTC.

There were only two accounts that had money stolen from them as far as I can tell.

It was a dictionary attack since I saw it happening.

I plugged the vulnerability that allowed them to run the attack so your weak passwords will be safe again.

I'm still working out with cryptofo if/how to reimburse him.

Ideally Liberty Reserve would help us since they can easily fix the issue. But they don't seem to be cooperating. Anyone have ideas there?


Finally, your answer is much appreciated.
Guess you both share the responsibility for the story, vulnerability+weakpassword= 50:50

Feed The Troll!! | 1JKdTyUjxo5VJoaQKjp4oUnXqdSSErC1mp
Drifter
Sr. Member
****
Offline Offline

Activity: 367
Merit: 250


View Profile
February 01, 2011, 08:46:40 PM
 #74

Sorry for the ones that lost coins.

But weak passwords on a site that has ANYTHING to do with finances?

http://lastpass.com/
http://keepass.info/
http://strongpasswordgenerator.com/
http://www.passwordchart.com/


They all work great, depending on what you need.

fabianhjr
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


Do The Evolution


View Profile
February 01, 2011, 08:55:53 PM
 #75

So, has anyone identified the attacker? I had been checking the IP with no luck.

nanotube
Hero Member
*****
Offline Offline

Activity: 485
Merit: 500


View Profile WWW
February 01, 2011, 08:58:54 PM
 #76

Almost everyone had transactions from "united". It does NOT mean that your account was compromised. It does mean that the attacker has your username. It was just them using the merchant API to send you 0 BTC.

There were only two accounts that had money stolen from them as far as I can tell.

It was a dictionary attack since I saw it happening.

I plugged the vulnerability that allowed them to run the attack so your weak passwords will be safe again.

I'm still working out with cryptofo if/how to reimburse him.

Ideally Liberty Reserve would help us since they can easily fix the issue. But they don't seem to be cooperating. Anyone have ideas there?


libertyreserve doesn't ever reverse transactions. they're trying to be a 'hard currency'. so you're pretty much SOL there.

Join #bitcoin-market on freenode for real-time market updates.
Join #bitcoin-otc - an over-the-counter trading market. http://bitcoin-otc.com
OTC web of trust: http://bitcoin-otc.com/trust.php
My trust rating: http://bitcoin-otc.com/viewratingdetail.php?nick=nanotube
kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1000


View Profile
February 01, 2011, 09:02:06 PM
 #77


libertyreserve doesn't ever reverse transactions. they're trying to be a 'hard currency'. so you're pretty much SOL there.

Don't forget what paypal did to mtgox and to the bitcoin economy. Hard currency are a better alternative.

kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1000


View Profile
February 01, 2011, 09:04:00 PM
 #78

So, has anyone identified the attacker? I had been checking the IP with no luck.

What we're going to do? Call the police?

cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 01, 2011, 09:10:23 PM
 #79

I don't know, but they're in st. petersberg Russia.  I'm boycotting Vodka!!
DarkMatter
Member
**
Offline Offline

Activity: 86
Merit: 10


Stop breeding! Save the Earth! www.vhemt.org


View Profile WWW
February 01, 2011, 09:13:00 PM
 #80

I don't know, but they're in st. petersberg Russia.  I'm boycotting Vodka!!

Yep, that ip address is shared by some russian websites.
http://bgp.he.net/net/77.222.40.0/22
spaceweb.ru, russian web space provider.

Feed The Troll!! | 1JKdTyUjxo5VJoaQKjp4oUnXqdSSErC1mp
ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1003


View Profile
February 01, 2011, 09:27:14 PM
 #81

Almost everyone had transactions from "united" ... It does mean that the attacker has your username
A question for people here: Did everyone who has the "united" transaction have a MtGox account name that is also a Forum username? Because it's easy enough to get a list of Forum names.

I have the "united" transaction, and my MtGox account name also happens to be a Forum username (although it's not 'ribuck').

I plugged the vulnerability that allowed them to run the attack so your weak passwords will be safe again.
Weak passwords are never safe. Mine is 71% according to the Password Meter, and I'll be improving it.
randomguy7
Hero Member
*****
Offline Offline

Activity: 528
Merit: 500


View Profile
February 01, 2011, 09:31:03 PM
 #82

Mine has absolutely no relation to my forum nick and I have that weird entry, too.
LZ
Legendary
*
Offline Offline

Activity: 1736
Merit: 1018


P2P Cryptocurrency


View Profile
February 01, 2011, 09:47:44 PM
 #83

I do not know what you guys will do, but I just withdrew all my funds to my bitcoin wallet and to my LR account.

Mt.Gox does not seem reliable to me now.

Cusipzzz
Sr. Member
****
Offline Offline

Activity: 326
Merit: 250



View Profile
February 01, 2011, 10:05:17 PM
 #84

sure that sounds nice and all....but what happens when:

1. create mtgox account
2. load up with BTCs
3. give russian friend credentials and have them spam other failed attempts first to make it look legit
4. create forum pressure for mtgox to reimburse
5. profit !

While I agree there is some site responsibility, no way he should cover some guy with a password of 'password'
LZ
Legendary
*
Offline Offline

Activity: 1736
Merit: 1018


P2P Cryptocurrency


View Profile
February 01, 2011, 10:13:28 PM
 #85

I think it should be safer: using login attempts limit, binding to a range of IP, requesting PIN, using OpenID, etc.

Did everyone who has the "united" transaction have a MtGox account name that is also a Forum username?
Yes, I have the same account name.

cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 01, 2011, 10:14:35 PM
 #86

I'm with you Vladimir   Smiley , that's what I was trying to get across in my email to him.  Still haven't heard back.  

cusipzz - I hear what you are saying, but that was not the case here.  There was a clear vulnerability at mtgox and my password wasn't "password"  It was a combinatinon of 8 letters and numbers.  Not a dolphins butt I know, but mtgox stated that there was a whole that he fixed.  And I have to pay the price.  The site also accepted it as a valid password.
Cusipzzz
Sr. Member
****
Offline Offline

Activity: 326
Merit: 250



View Profile
February 01, 2011, 10:18:55 PM
 #87

cyrpto - because the site accepted it doesn't mean a lot.

There has to be some user responsibility in all of these cases. Not sure what the % is in this case, just saying.

My password could be 'pWf32fWSf@35%@#4f@#4', perfectly secure, but if i use that same password on a Russian PS3 hacking forum, is it mtgox's fault you account later gets taken from Russia? Sure, you may say it was unique to mtgox, but how does he know? Just playing a little devil's advocate, that's all.



nelisky
Legendary
*
Offline Offline

Activity: 1540
Merit: 1000


View Profile
February 01, 2011, 10:27:54 PM
 #88

cyrpto - because the site accepted it doesn't mean a lot.

There has to be some user responsibility in all of these cases. Not sure what the % is in this case, just saying.

My password could be 'pWf32fWSf@35%@#4f@#4', perfectly secure, but if i use that same password on a Russian PS3 hacking forum, is it mtgox's fault you account later gets taken from Russia? Sure, you may say it was unique to mtgox, but how does he know? Just playing a little devil's advocate, that's all.

I guess common sense comes to play here. I for one fully trust Jed, so if he told me someone used my account by trying out 3 different passwords I'd pretty much accept full responsibility. But that is not the case here, there was a dictionary attack so either the site doesn't allow weak passwords or it has to have measures to prevent these attacks. Or it is the site owner responsibility.
Of course we are all grown ups and I'm glad to see that the parties here are talking to each other trying to find a solution.
cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 01, 2011, 10:33:54 PM
 #89

I hear ya.  I'm not pointing the finger at mtgox and demanding they accept all responsibility.  The reality is a bug was found in a system that we all  want to trust.  Bugs get discovered and bugs get patched.  It could have been a lot worse.  Suppose they gained control of more than just my bitcoins and began to manipulate the market.  Bitcoin as a whole is very experimental at this point.  The anonymous nature of leaves little accountability to anyone other than ourselves.  At this point and up to this point it doesn't look like MTGOX wants to take any responsibility.  That's cool, just a year and a half of generating down the tubes.
cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 01, 2011, 10:38:54 PM
 #90

I trust Jeb too, I don't think anyone in the bitcoin community is out to get anyone.  We all want what's best for bitcoin.  If this tightens up security at mtgox and makes bitcoin stronger and we all learned a lesson then I guess that's good for bitcoin.  Just sucks to be the one takin it on the chin for it.
nelisky
Legendary
*
Offline Offline

Activity: 1540
Merit: 1000


View Profile
February 01, 2011, 10:40:23 PM
 #91

If the story is as it was told on the forum, I'm sure Jed will come around. It does sound like you were not to blame in any way for what happened, an 8 char numbers and symbols password might not be a 'strong password' but it is still much better than most other passwords there, I bet. It was certainly better than the one I had (and have now changed to something more realistic).
caveden
Legendary
*
Offline Offline

Activity: 1106
Merit: 1000



View Profile
February 01, 2011, 10:55:43 PM
 #92

I guess common sense comes to play here. I for one fully trust Jed, so if he told me someone used my account by trying out 3 different passwords I'd pretty much accept full responsibility. But that is not the case here, there was a dictionary attack so either the site doesn't allow weak passwords or it has to have measures to prevent these attacks. Or it is the site owner responsibility.

It's not the site owner responsibility. I don't want to blame the victim either (only the criminals are to blame), but MtGox doesn't have any obligation whatsoever of refunding him. Unless they had explicitly sold such guarantees, they don't have any obligation in keeping our funds protected at all. It's our choice to trust or not in their capacity to do so.

They should have, of course, interest in protecting their site and maybe even refunding our friend here. But that opens dangerous precedents for them as somebody else has already noticed... this case seems true, but who knows about the next that might come...

The whole problem with this is that the bitcoin world is still too small to have professional insurances behind everything. Normally insurance companies would refund such losses, and these same insurances audit the platform for security flaws etc.

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
The Madhatter
Hero Member
*****
Offline Offline

Activity: 490
Merit: 500


My avatar pic says it all


View Profile
February 01, 2011, 11:02:04 PM
 #93

What we're going to do? Call the police?

 Cheesy You can't be serious...
S3052
Legendary
*
Offline Offline

Activity: 2100
Merit: 1000


View Profile
February 01, 2011, 11:07:40 PM
 #94

It would be good to get the exchanges to a level of other exchanges / bank accounts where you can trade.

On most of the accounts, you get transaction numbers as one time codes for each transaction, on top of your normal username and password veryfication.

establsihing those transaction numbers on bitcoin exchanges would make it much much more secure.

nelisky
Legendary
*
Offline Offline

Activity: 1540
Merit: 1000


View Profile
February 01, 2011, 11:09:45 PM
 #95

I guess common sense comes to play here. I for one fully trust Jed, so if he told me someone used my account by trying out 3 different passwords I'd pretty much accept full responsibility. But that is not the case here, there was a dictionary attack so either the site doesn't allow weak passwords or it has to have measures to prevent these attacks. Or it is the site owner responsibility.

It's not the site owner responsibility. I don't want to blame the victim either (only the criminals are to blame), but MtGox doesn't have any obligation whatsoever of refunding him. Unless they had explicitly sold such guarantees, they don't have any obligation in keeping our funds protected at all. It's our choice to trust or not in their capacity to do so.

It is still the site owner responsibility. I'm not saying there's an obligation of refunding any losses, that's where the contracts, insurances and premiums come in, but rather that only the site owner could have prevented this, and I'm sure in this case Jed has already closed this particular hole.

If there's any obligation, legal, moral or otherwise, I'm in no position to say. Having happened to me, I would ask for a refund but not require one, as you put it, and very well, I'm the one that trusted the site in the first place. I would go so far as to say Jed should have an opt-in system that would raise the fee per transaction for those who chose to allow it, and the extra fees would go to a fund to cover just these situations, but then it would become very hard to separate real cases from scams, and I don't think Jed wants to become a lawyer (assuming  he's not one already) Smiley
Nefario
Hero Member
*****
Offline Offline

Activity: 602
Merit: 500


GLBSE Support support@glbse.com


View Profile WWW
February 01, 2011, 11:32:09 PM
 #96

What we're going to do? Call the police?

 Cheesy You can't be serious...


The result would probably that if the police ever did investigate, they would report you to the IRS for tax fraud or something like that.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
Ricochet
Sr. Member
****
Offline Offline

Activity: 373
Merit: 250



View Profile
February 01, 2011, 11:34:46 PM
 #97

Somewhat off-topic, but regarding this from a few pages earlier:

Considering the actual situation (I'm sorry for the user using a common dictionary word as his "bank" account password, and mtgox not having any dictionary attack protection implementation ... ), I just noticed a great drop of the BTC available for free at http://freebitcoins.appspot.com. It dropped about 300BTC in 36hrs. Should we worry?

The faucet is now empty. 
nelisky
Legendary
*
Offline Offline

Activity: 1540
Merit: 1000


View Profile
February 01, 2011, 11:40:56 PM
 #98

Somewhat off-topic, but regarding this from a few pages earlier:

Considering the actual situation (I'm sorry for the user using a common dictionary word as his "bank" account password, and mtgox not having any dictionary attack protection implementation ... ), I just noticed a great drop of the BTC available for free at http://freebitcoins.appspot.com. It dropped about 300BTC in 36hrs. Should we worry?

The faucet is now empty. 

I see 200BTC there, and when I read you previous message it was 208BTC (give or take). One of us is looking at the wrong place Smiley
Ricochet
Sr. Member
****
Offline Offline

Activity: 373
Merit: 250



View Profile
February 01, 2011, 11:44:42 PM
 #99

I see 200BTC there, and when I read you previous message it was 208BTC (give or take). One of us is looking at the wrong place Smiley
Yeah I dunno what happened.  Upon refreshing the page I now see 200.78, though I do promise you that when I posted it indeed said "The faucet is now empty, try again tomorrow, maybe some kind person will donate some" or something to that effect.  Must have been a glitch in the site or something.  My apologies for the minor panic and off-topic chatter.
cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 01, 2011, 11:46:20 PM
 #100

By choosing to be involved in the bitcoin experiment and trading $ for btc in the first place we expose our to inherent risk.  This is something we all understand.  By trusting that a particular site is secure I mtake the risk I get that.  I understand the "what happens in the future when..." argument, but this is the case right now. Mtgox had a security hole.  As an ancillary benefit to the attack, Jed has discovered a hole and fixed it.  Mtgox is now more secure.  The bitcoin community is more secure.  I am out 900 btc.  I in effect was used to expose a flaw in their security and never compensated for it.  I'm clearly biased in my opinion, but this should be considered a cost of doing business on Jed's part.  I'm not saying that mtgox should be responsible for any and all situations and possibilities, but honestly If I was running the site and this had happened I would make it a point to see that the user was made good.
bitdragon
Hero Member
*****
Offline Offline

Activity: 609
Merit: 500


peace


View Profile WWW
February 02, 2011, 01:29:39 AM
 #101

It's a cost for the group as a whole and this time you took the hit;
so thank you and I'll happily share some of the cost and donate a few coins to the amount of 55BTC

Not much but I don't have that many yet- but I made a copy of my wallet Wink

mtgox
Full Member
***
Offline Offline

Activity: 185
Merit: 102


View Profile WWW
February 02, 2011, 01:53:16 AM
 #102

People keep asking me so...

The only accounts that were compromised were cryptofo and one other who I emailed. No other accounts were compromised. If you are still worried about it simply change your password.

I've paid out a lot to fraudsters since I started mtgox. But I admit I should have had something in place to prevent successive login attempts. But also a password such as abcd1234 is 4 letters and 4 numbers but would be found very quickly by any attack like this. 
Anyway it seems fair to restore half your coins.




cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 02, 2011, 01:56:46 AM
 #103

Wow, bitdragon that really warms my heart.  I would really appreciate that.  I think this might be a good time to share a little more about myself and the project I have been working on and what led me to bitcoin in the first place.  It's a bit off topic and something I wasn't planning to share for a while as the project has been on the backburner while I've been busy with another project, but here goes.

I believe that what draws most of us to Bitcoin is an inherent desire for freedom and independence.  It is this same desire that drove me to invest many many hours and months into another project.  To some it may seem unrelated, but I have ideas and plans that could benefit both bitcoin as well my project.  At first there may seem to be no corelation, but as we dig deeper you will discover some very exciting possibilities.  They are lofty ambitions, but I'm building a framework for the future.  It's in it's infancy, but there is some core information on a video on my page openalcohol.org.  

To anyone who may want to donate some bitcoins to the project and/or to myself as I have just been robbed of 900+ there is a link to donate some bitcoins on this page.  http://openalcohol.org/node/25

At this point I won't dedicate to much about it here as this is a bitcoin forum, but if people are interested contact me at info@openalcohol.com and I will start doing my best to build up the site.

Thank you for your time and support
-Cryptofo
cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 02, 2011, 02:00:04 AM
 #104

I think that would be incredibly fair also.  Thank you mtgox.
kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1000


View Profile
February 02, 2011, 02:04:09 AM
 #105

Quote from: cryptofo
To anyone who may want to donate some bitcoins to the project and/or to myself as I have just been robbed of 900+ there is a link to donate some bitcoins on this page.  http://openalcohol.org/node/25

-Cryptofo

What is openalcohol?

Nefario
Hero Member
*****
Offline Offline

Activity: 602
Merit: 500


GLBSE Support support@glbse.com


View Profile WWW
February 02, 2011, 02:09:19 AM
 #106

mtgox, how much have fraudsters cost you so far? And are you still making profit?

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 02, 2011, 02:09:48 AM
 #107

Openalcohol.org is to be the homepage for a project I am starting.  There is a video on it that I think you will find very interesting and the basis for my project.
kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1000


View Profile
February 02, 2011, 02:23:59 AM
 #108

come on guys, let finish with this topic and let it fall into annals of history and off the front page.

Falling off? I am waiting for MtGox to implement several major security reform or something like that.

Anonymous
Guest

February 02, 2011, 02:44:32 AM
 #109

20btc sent. It looks like an interesting project.



bitcoinex
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250


probiwon.com


View Profile WWW
February 02, 2011, 02:58:23 AM
 #110

come on guys, let finish with this topic and let it fall into annals of history and off the front page.

We can change annoying topic

New bitcoin lottery: probiwon.com
- Может, ты ещё и в Невидимую Руку Рынка веруешь? - Зачем же веровать в то, что можно наблюдать непосредственно?
DELTA9
Member
**
Offline Offline

Activity: 102
Merit: 10


View Profile
February 02, 2011, 04:48:33 AM
 #111

I do not know what you guys will do, but I just withdrew all my funds to my bitcoin wallet and to my LR account.

Mt.Gox does not seem reliable to me now.
QFT.

I do not understand why anyone would keep their bitcoins w/ mtgox. An encrypted wallet.dat is the only way I will ever store mine.
Nefario
Hero Member
*****
Offline Offline

Activity: 602
Merit: 500


GLBSE Support support@glbse.com


View Profile WWW
February 02, 2011, 06:43:31 AM
 #112

I do not know what you guys will do, but I just withdrew all my funds to my bitcoin wallet and to my LR account.

Mt.Gox does not seem reliable to me now.
QFT.

I do not understand why anyone would keep their bitcoins w/ mtgox. An encrypted wallet.dat is the only way I will ever store mine.

That means you will never be able to use any services that anyone provides.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
Keefe
Hero Member
*****
Offline Offline

Activity: 681
Merit: 500


View Profile
February 02, 2011, 07:58:57 AM
 #113

cryptofo:
Would you be willing to tell us the password you used, that the thief managed to guess? I assume you no longer use it anywhere. :-)

mtgox:
Could you tell us approximately how many login attempts were made by the thief before successfully guessing cryptofo's password? If it was less than say 10000, then we'd know it was just a really weak/guessable password.

I notice that there's now a delay when logging into mtgox.com, which I think is a great way to prevent major brute-force/dictionary attacks. But I'm wondering if you've implemented any additional login protections, such as longer delays after a certain number of failed attempts from a single IP?

Keefe
Hero Member
*****
Offline Offline

Activity: 681
Merit: 500


View Profile
February 02, 2011, 08:05:11 AM
 #114

I ask because although "8 characters, numbers and letters" isn't very strong, it would take a huge number of attempts to purely brute-force if it were random. Or is the point here that it was a single word and a couple digits, easily broken by a dictionary attack? How weak was it really?

I use unique random 16-character passwords (upper, lower, and digits) most places. I assume I'm totally safe from the kind of attack that compromised cryptofo's account.

caveden
Legendary
*
Offline Offline

Activity: 1106
Merit: 1000



View Profile
February 02, 2011, 08:30:34 AM
 #115

It is still the site owner responsibility. I'm not saying there's an obligation of refunding any losses, that's where the contracts, insurances and premiums come in, but rather that only the site owner could have prevented this, and I'm sure in this case Jed has already closed this particular hole.

Ok, it's just a semantics misunderstanding then... I find the word "responsibility" a strong one. If you say somebody was responsible for a criminal act like this one, I understand that s/he is guilty of it. And if you're guilty of a crime, you must pay for it.
MtGox is obviously not guilty of what happened, that's why I say they have no responsibility.

I would go so far as to say Jed should have an opt-in system that would raise the fee per transaction for those who chose to allow it, and the extra fees would go to a fund to cover just these situations, but then it would become very hard to separate real cases from scams, and I don't think Jed wants to become a lawyer (assuming  he's not one already) Smiley

This would be cool, but as you noticed, it's quite difficult... they would need to contract a external service probably, and I don't think there's enough volume for that.

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
February 02, 2011, 08:38:55 AM
 #116

Falling off? I am waiting for MtGox to implement several major security reform or something like that.

Better, tell him to switch to an open source backend, so everyone will be able to inspect his source Smiley

mrb
Legendary
*
Offline Offline

Activity: 1470
Merit: 1006


View Profile WWW
February 02, 2011, 09:50:32 AM
 #117

Better, tell him to switch to an open source backend, so everyone will be able to inspect his source Smiley

Speaking of inspecting source, I inspected yours and am still waiting for you to use a safer password hashing function :-)

(For those not in the know: davout's Bitcoin Central platform hashes passwords with SHA256($pass.$salt). Although safer than the way most people hash passwords, this method is not safe enough because it does not implement iterated hashing to slow down bruteforce attacks. In a scenario where an attacker gains access to BC's hashes via SQL injection for example, the attacker would be able to bruteforce passwords at a rate of 1+ billion per second with one HD 5970. Iterated hashing like Linux's standard MD5-crypt slows this attack by multiple orders of magnitude.)
mrb
Legendary
*
Offline Offline

Activity: 1470
Merit: 1006


View Profile WWW
February 02, 2011, 09:56:09 AM
 #118

My bank snail mails lists of 300 one-use keys you need when logging in. A quicker but perhaps more expensive option is to send the keys in SMS.

Cool. What bank does this? If you don't mind sharing...
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
February 02, 2011, 10:02:41 AM
 #119

Speaking of inspecting source, I inspected yours and am still waiting for you to use a safer password hashing function :-)
You can submit a patch if you'd like Smiley

(For those not in the know: davout's Bitcoin Central platform hashes passwords with SHA256($pass.$salt). Although safer than the way most people hash passwords, this method is not safe enough because it does not implement iterated hashing to slow down bruteforce attacks. In a scenario where an attacker gains access to BC's hashes via SQL injection for example, the attacker would be able to bruteforce passwords at a rate of 1+ billion per second with one HD 5970. Iterated hashing like Linux's standard MD5-crypt slows this attack by multiple orders of magnitude.)
If it was as simple as that I would've done it already, the hard part is not to replace the hash function, the hard part is update the passwords that are recorded in the database if you see what I mean Smiley

mrb
Legendary
*
Offline Offline

Activity: 1470
Merit: 1006


View Profile WWW
February 02, 2011, 10:14:38 AM
 #120

(For those not in the know: davout's Bitcoin Central platform hashes passwords with SHA256($pass.$salt). Although safer than the way most people hash passwords, this method is not safe enough because it does not implement iterated hashing to slow down bruteforce attacks. In a scenario where an attacker gains access to BC's hashes via SQL injection for example, the attacker would be able to bruteforce passwords at a rate of 1+ billion per second with one HD 5970. Iterated hashing like Linux's standard MD5-crypt slows this attack by multiple orders of magnitude.)
If it was as simple as that I would've done it already, the hard part is not to replace the hash function, the hard part is update the passwords that are recorded in the database if you see what I mean Smiley

The traditional way to handle a change of hashing algo is to have a transitional phase where 2 algos are supported in parallel in the DB. Whenever a user logs in and you detect an old hash format in the DB, just update it (you can because you have the pass during authentication). I would be glad to submit a patch but I am unlikely to find the time to do it.
DarkMatter
Member
**
Offline Offline

Activity: 86
Merit: 10


Stop breeding! Save the Earth! www.vhemt.org


View Profile WWW
February 02, 2011, 10:39:14 AM
 #121

Somewhat off-topic, but regarding this from a few pages earlier:

Considering the actual situation (I'm sorry for the user using a common dictionary word as his "bank" account password, and mtgox not having any dictionary attack protection implementation ... ), I just noticed a great drop of the BTC available for free at http://freebitcoins.appspot.com. It dropped about 300BTC in 36hrs. Should we worry?

The faucet is now empty. 

No one even answered me, what the hell Smiley
Anyway, the faucet is closed for maintenance.
"Faucet closed for repairs

Sorry, the Bitcoin Faucet is temporarily closed for repairs. It should reopen in a day or two. Thanks for your patience."

Feed The Troll!! | 1JKdTyUjxo5VJoaQKjp4oUnXqdSSErC1mp
Cdecker
Hero Member
*****
Offline Offline

Activity: 490
Merit: 503



View Profile WWW
February 02, 2011, 11:03:17 AM
 #122

You are safe, even a very advanced rainbow table attack would not break strong 16 char pass. basically anything randomish above 12 chars and even with a good mix of chars above 8 could be considered fairly secure.

Just mix into the pass some spaces, brackets, other weird symbols, numbers, upppercase and lowercase letters and anything above 8 chars will be good.
Not a really good comparison since you'd have to have the hash of the password, and we could compile a rainbow table for almost anything. One way to defeat Rainbow tables is salting the password hashes (you are salting your passwords MtGox aren't you?) Cheesy

Want to see what developers are chatting about? http://bitcoinstats.com/irc/bitcoin-dev/logs/
Bitcoin-OTC Rating
Anonymous
Guest

February 02, 2011, 11:24:32 AM
 #123

You havent seen the double rainbow attack yet.  Tongue
sirius
Bitcoiner
Sr. Member
****
Offline Offline

Activity: 429
Merit: 251



View Profile
February 02, 2011, 12:01:55 PM
 #124

Cool. What bank does this? If you don't mind sharing...

Every bank in Finland. Also, all banks here support instant, irrevocable online payments from their customers with a simple interface. There are 3rd party services that have accounts in every bank, let the customer choose which to use, and forward the payment to the merchant. It would be very useful if there was an international service like that.

Identifi - Decentralized address book with trust ratings
I'm not a forum admin - please contact theymos instead.
ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1003


View Profile
February 02, 2011, 02:42:31 PM
 #125

Something else I think that people forget is changing your password often.
But then you have to write the passwords down, which kind of defeats the purpose. Sure, you can store them encrypted on your computer, but what about when you are travelling?

I use a fairly strong basic password, plus a rule to modify it for each site. This just gives me two things to remember: the password and the rule. The rule is not straightforward to apply, but I can do it in my head if I have to.

The only thing that messes this up is the occasional site that has some stupid password rule (e.g. no punctuation allowed).
kiba
Legendary
*
Offline Offline

Activity: 980
Merit: 1000


View Profile
February 02, 2011, 02:45:43 PM
 #126

What about public key infrastructure?

Drifter
Sr. Member
****
Offline Offline

Activity: 367
Merit: 250


View Profile
February 02, 2011, 03:00:20 PM
 #127

Something else I think that people forget is changing your password often.
But then you have to write the passwords down, which kind of defeats the purpose. Sure, you can store them encrypted on your computer, but what about when you are travelling?

I use the portable version of Keepass for the passwords I need if traveling. Very useful and I always have my USB on me. You could also have lastpass save your passwords and they would be available anywhere with an internet connection.


I just rather have one master password than passwords with any sort of pattern. Some of my passwords are 50 characters long for paranoia sake. It would be good if I had a password I could memorize, but I usually think if a password is easy enough to remember, it's just not good enough.

 

ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470
Merit: 1000


Bringing Legendary Har® to you since 1952


View Profile
February 02, 2011, 04:27:57 PM
 #128

Yeah, I specifically don't keep anything in my mtgox account because it seems insecure, same reason I don't trust mybitcoin. I keep my own computer secured, and past that, so if I keep my wallet on my computer and have an encrypted backup, I should be good.

Yeah, todays encryption capabilities can make your home a digital Fort Knox, so why use banks ?
This is exactly the reason why bitcoin is so awesome.

davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
February 02, 2011, 04:35:39 PM
 #129

Because I don't want to sign a transaction with five PGP keys, a fingerprint and a sample of my DNA each time i want to buy some coffee.

cryptofo
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
February 02, 2011, 06:28:08 PM
 #130

Hi Friends,
I just wanted to let everyone know that Jed replaced half my bitcoins.  He is a scholar and a gentleman.  He didn't have to, but he did.  50/50 split responsibility.  Much respect and gratitude to Jed and all the work he has done to support the bitcoin community.  I have learned a valuable lesson in when it comes to not using bonehead passwords.  Thank you to everyone who has chimed in on this topic and extra extra thanks to bitdragon and freemarketagenda and anyone else who donated a few bitcoins to my openalcohol.org project.  Thank you all.  Me loves Bitcoin.
markm
Legendary
*
Offline Offline

Activity: 2072
Merit: 1000



View Profile WWW
February 02, 2011, 07:36:57 PM
 #131

Some of the "traffic exchanges" would reject the very password I had still in my paste buffer and upon looking more closely at the plaintext email I saw it wasn't working because they had lowercased it. Ouch.

It was actually a while before passwords longer than 8 characters were even allowed in many programs. Even some Minix or Unix or Linux cant remember which types of things (maybe that Atari unix) used to only actually use the first so many characters, though they were at least consistent in that they chopped them when you tried to use them too instead of making you guess how many characters they actually had chosen to use.

I have seen that latter though at least once I just can't remember where.

Three failures and you're out a minute or more only allows about 1440 * 3 tries on any given account per day of brute force. Luckily for the brutes there are so many sites out there that three tries on each account at each site that has login can keep them busy a minute probably easy. (?)

Your bank doesn't tell you to use the last 4 digits of your social insurance number as your PIN so you'll remember it easily???

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3094
Merit: 3275


View Profile
February 02, 2011, 07:58:20 PM
 #132

I have seen that latter though at least once I just can't remember where.

The Linux/Unix "default" behavior is to use crypt() to DES-encrypt a truncated password as you described. Probably almost all Linux distros modify this behavior to something more secure, though.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
markm
Legendary
*
Offline Offline

Activity: 2072
Merit: 1000



View Profile WWW
February 02, 2011, 10:18:26 PM
 #133

How did they guess she'd tell the truth? Isn't she some kind of political figure? Hahaha.

No but seriously, keeping track of which pet I had and what school I was at according to which place other than MI5 who likely can find out the true info gets to be a lot to keep track of.

-MarkM- (That's a "five" not a "bee", by the way. Smiley Cheesy)

(And since I can put the burden of knowing the right answer on them, why tell them either? Hahaha cool. Wink)



Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
Hal
VIP
Sr. Member
*
Offline Offline

Activity: 314
Merit: 367



View Profile
February 03, 2011, 01:15:03 AM
 #134

Almost everyone had transactions from "united". It does NOT mean that your account was compromised. It does mean that the attacker has your username. It was just them using the merchant API to send you 0 BTC.
Does this mean the merchant API has/had a way of discovering account names? And this involved sending a dummy transaction of 0 to each account? Has this been fixed?

Hal Finney
Mahkul
Sr. Member
****
Offline Offline

Activity: 434
Merit: 250


Every saint has a past. Every sinner has a future.


View Profile
February 03, 2011, 01:18:26 AM
 #135

Almost everyone had transactions from "united". It does NOT mean that your account was compromised. It does mean that the attacker has your username. It was just them using the merchant API to send you 0 BTC.
Does this mean the merchant API has/had a way of discovering account names? And this involved sending a dummy transaction of 0 to each account? Has this been fixed?

I was just going to ask the same question.
hacim
Member
**
Offline Offline

Activity: 64
Merit: 10


View Profile
February 05, 2011, 03:57:03 PM
 #136

the attacker would be able to bruteforce passwords at a rate of 1+ billion per second with one HD 5970. Iterated hashing like Linux's standard MD5-crypt slows this attack by multiple orders of magnitude.)

Do you know of any software that can utilize a GPU to do brute-force password cracking (such as john the ripper, but GPU-capable)?

15yns1RVpBHZ8uj8mGVUJVCyPh5ieW3FQx
LZ
Legendary
*
Offline Offline

Activity: 1736
Merit: 1018


P2P Cryptocurrency


View Profile
February 05, 2011, 06:44:36 PM
 #137

You should ask this in another forum. Otherwise we will have a bad reputation.

hacim
Member
**
Offline Offline

Activity: 64
Merit: 10


View Profile
February 06, 2011, 03:55:42 PM
 #138

Ah, sorry I didn't quite realize how that would come out. I'm not wanting something like that to actually compromise accounts, more for enforcing password strength policies. but yeah, I can see how my message could be seen as sketchy!

15yns1RVpBHZ8uj8mGVUJVCyPh5ieW3FQx
LZ
Legendary
*
Offline Offline

Activity: 1736
Merit: 1018


P2P Cryptocurrency


View Profile
February 07, 2011, 09:20:11 PM
 #139

Code:
https://mtgox.com/users/login?username=my_login&password=my_password
MTGOX! WAKEUP!!!

Keefe
Hero Member
*****
Offline Offline

Activity: 681
Merit: 500


View Profile
February 07, 2011, 09:32:34 PM
 #140

Code:
https://mtgox.com/users/login?username=my_login&password=my_password
MTGOX! WAKEUP!!!

Is it really a problem, having the password in the url when https is used? I thought that the browser checks the certificate and starts encrypting before the url is transmitted.

davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
February 07, 2011, 09:34:01 PM
 #141

Yes it is.

However, this kind of URL is easily used in CSRF exploits.

ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470
Merit: 1000


Bringing Legendary Har® to you since 1952


View Profile
February 08, 2011, 12:08:19 AM
 #142

Code:
https://mtgox.com/users/login?username=my_login&password=my_password
MTGOX! WAKEUP!!!

OMG, this is serious.
These are security basics...

bitcool
Legendary
*
Offline Offline

Activity: 1439
Merit: 1000

Live and enjoy experiments


View Profile
February 08, 2011, 05:21:55 AM
 #143

Code:
https://mtgox.com/users/login?username=my_login&password=my_password
MTGOX! WAKEUP!!!
but this GET does not work....
the javascript behind the login page is clearly using POST:
        var name=$("#username").val();
   var pass=$('#password').val();
   $.post("/code/login.php", { "name": name , "pass": pass  }, onServer , "json" );
where/how did you get your URL?
LZ
Legendary
*
Offline Offline

Activity: 1736
Merit: 1018


P2P Cryptocurrency


View Profile
February 08, 2011, 08:28:05 AM
 #144

I hope so. I got it in my address bar while I pressed the Login button.

davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
February 08, 2011, 10:52:22 AM
 #145

Maybe you should contact mtgox before spreading FUD like this.
It is all documented in the API page, requires a POST (not very clean but well...) to be sent and the path is encrypted.

These are security basics...
And you seem not to have a clue about them Smiley

carp
Member
**
Offline Offline

Activity: 82
Merit: 10


View Profile
February 08, 2011, 12:56:49 PM
 #146

Maybe you should contact mtgox before spreading FUD like this.
It is all documented in the API page, requires a POST (not very clean but well...) to be sent and the path is encrypted.

These are security basics...
And you seem not to have a clue about them Smiley

Heh nice. However... it does at least LOOK bad, and that will always be enough to make someone sound the alarms once in a while. I would highly encourage cleaning that up, if only to look a little more... "professional", but also to avoid freaking people out.

LZ
Legendary
*
Offline Offline

Activity: 1736
Merit: 1018


P2P Cryptocurrency


View Profile
February 08, 2011, 08:28:12 PM
 #147

Maybe you should contact mtgox before spreading FUD like this.
Yeah, you are right. Sorry for that. It just looks quite scary.

casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1039


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
February 09, 2011, 01:13:43 AM
 #148

Maybe you should contact mtgox before spreading FUD like this.
Yeah, you are right. Sorry for that. It just looks quite scary.

I did notice this several days ago - mentioned the same thing in an e-mail to Jed - because I observed this in my address bar.  Jed replied that indeed the site indeed uses POST, but I indeed still see this in my address bar.

Is it secure?  Well... depends.  Sure, it goes over HTTPS.  But what about any toolbar that looks at your URL's and silently sends them somewhere (common).  Even IE in its most basic configuration sends URL's you visit to Microsoft for the purpose of "smart screen" filtering.  Also it sits in your browser history, and can be seen by later users of the machine if they type the beginning of the URL.  So that is why indeed it's a concern.  I have only observed this within IE, if I use for example Safari, I don't see this.

If you're seeing this, and I'm seeing it too, then it's a problem, and not FUD.

Also a concern is the password retrieval feature.  Anyone who can read your e-mail can access your account and there is no apparent way to control this.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
LZ
Legendary
*
Offline Offline

Activity: 1736
Merit: 1018


P2P Cryptocurrency


View Profile
February 09, 2011, 06:18:44 PM
 #149

I saw it using Firefox, but did not see it within Chrome. Seems that WebKit does not show it.

casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1039


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
February 09, 2011, 06:34:26 PM
 #150

Code:
https://mtgox.com/users/login?username=my_login&password=my_password
MTGOX! WAKEUP!!!
but this GET does not work....
the javascript behind the login page is clearly using POST:
        var name=$("#username").val();
   var pass=$('#password').val();
   $.post("/code/login.php", { "name": name , "pass": pass  }, onServer , "json" );
where/how did you get your URL?

Worth noting is that the variables on the query string are "username" and "password", which differ from the variable names passed in the call to $.post ("name" and "pass").  The $.post call is then apparently unrelated to the problem.  (I confirmed that I see "username" and "password" in my address bar as well).

This problem is EASILY reproduced just by going into MSIE 8 and submitting an incorrect username and password.

As a workaround, would adding method="POST" to the form help?  (currently it is not specified, it relies on onsubmit returning false, but if this is misunderstood by some browsers, at least an accidental POST would be far cleaner than an accidental GET which I understand is the default?)

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
bitcool
Legendary
*
Offline Offline

Activity: 1439
Merit: 1000

Live and enjoy experiments


View Profile
February 09, 2011, 10:09:55 PM
 #151

This problem is EASILY reproduced just by going into MSIE 8 and submitting an incorrect username and password.
Thanks. Every once in a while, I need to be reminded there's a browser called "IE" that people still use, sorry.
ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470
Merit: 1000


Bringing Legendary Har® to you since 1952


View Profile
February 11, 2011, 06:44:50 PM
 #152

Maybe you should contact mtgox before spreading FUD like this.
It is all documented in the API page, requires a POST (not very clean but well...) to be sent and the path is encrypted.

These are security basics...
And you seem not to have a clue about them Smiley

Because you seem to have said so of course...

FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.

davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
February 11, 2011, 06:56:42 PM
 #153

FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.
so, why are you coming back, and edit your posts if you don't care ? Smiley

Nefario
Hero Member
*****
Offline Offline

Activity: 602
Merit: 500


GLBSE Support support@glbse.com


View Profile WWW
February 11, 2011, 07:06:10 PM
 #154

FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.
so, why are you coming back, and edit your posts if you don't care ? Smiley

point 1, explanation
point 2, fuck you thats why!  Cheesy

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470
Merit: 1000


Bringing Legendary Har® to you since 1952


View Profile
February 11, 2011, 09:15:31 PM
 #155

FYI, i would NEVER EVER put something like this in URL, because just from the looks of it it's scary as hell.
FYI-2 i know "something" about security, but i have no need to explain myself to you.
so, why are you coming back, and edit your posts if you don't care ? Smiley

You are putting things on my keyboard that i din't write.
I never said that i don't care HERE. Perhaps i didn't care in some other thread.

PS.
SERIOUSLY dude. What is your problem ? Just to remind you - it was you who started insulting me.
We could have a polite conversation but no - you like shitfight better.

LZ
Legendary
*
Offline Offline

Activity: 1736
Merit: 1018


P2P Cryptocurrency


View Profile
February 11, 2011, 09:38:42 PM
 #156

Is there any reason for this dispute? Shake hands with each other, okay?

bitcool
Legendary
*
Offline Offline

Activity: 1439
Merit: 1000

Live and enjoy experiments


View Profile
February 11, 2011, 10:20:55 PM
 #157

hey, I wish I can afford one like this too: (everybody with bitcoin seems to have one)



just kidding.
foof
Newbie
*
Offline Offline

Activity: 3
Merit: 0


View Profile
March 06, 2011, 02:52:57 AM
 #158

Is this thread still alive?
I've seen this just now.
I would like to ask what is a dictionary attack. If that is what I know, it is really unlikely that it could have happened.

Firstly a dictionary attack means that somebody has used a dictionary word for his password. Or maybe 2 dictionary words sticked together. Already with 3 sticked together it's really unlikely that it could be completed in any reasonable time. Consider an english dictionary of 3000 words (that's low, let's assume just common/simple words and english language), you use 3 of them sticked together, suppose you even use all noncapitals characters, no digits and no spaces, it still means the attacker has to bruteforce 3000^3 = 27000000000 combinations. The attacker needs to try half of those combinations on average, to crack the password.

Over the network, with SSL authentication (that's overhead) I don't think the attacker could really try more than 1000 passwords per second; after that it becomes a bandwidth and CPU attack against mtgox resulting in DoS. even at this speed it would take an average of 10 years of continuous attempts to crack one single password, and nobody noticing anything in the meantime. I don't see this likely *at all*.

A different thing is if the attacker was able to download the file of hashed passwords by first hacking the mtgox website database with mysql injection. After that he could perform the dictionary attack locally on his PC (as opposed to over the network). At this point 3 words sticked together becomes feasible and 4 words is so-so. Also, I read people speaking about rainbow attacks: again, these are feasible only if the attacker could download the hashed passwords file.

But at this point one wonders, if the hacker is able to hack the DB and download the hashed passwords file from the website, why isn't he able to just login to the victim's account or change the victim's password to something known to him?

So I don't really see this clear. How did this attack really happen?

The people who got their account hacked (who hopefully changed their password by now) would they be willing to disclose their old password so we have an idea of how weak that was, and how could this hack actually happen?
Dude65535
Full Member
***
Offline Offline

Activity: 126
Merit: 100


View Profile
March 06, 2011, 03:29:09 AM
 #159

Generally a dictionary attack would be done with a pregenerated list of common passwords sorted by frequency of use.

1DCj8ZwGZXQqQhgv6eUEnWgsxo8BTMj3mT
carp
Member
**
Offline Offline

Activity: 82
Merit: 10


View Profile
March 06, 2011, 07:32:21 AM
 #160

Firstly a dictionary attack means that somebody has used a dictionary word for his password. Or maybe 2 dictionary words sticked together. Already with 3 sticked together it's really unlikely that it could be completed in any reasonable time. Consider an english dictionary of 3000 words (that's low, let's assume just common/simple words and english language), you use 3 of them sticked together, suppose you even use all noncapitals characters, no digits and no spaces, it still means the attacker has to bruteforce 3000^3 = 27000000000 combinations. The attacker needs to try half of those combinations on average, to crack the password.

Well kinda. Firstly, stringing words together isn't the most common of things people do. Shit, even I use one word dictionary passwords in some places. Common is a dictironary word, word with numbers at the end, more likely than not all lower case.... some words are more common than others... in any case, there are optimizations that reduce effective keyspace.

Also, hashes can have collisions. Technically, you don't need to guess THE password, just something that hashes to the same value (unlikely but, no way to rule out collisions). Then there is the number of accounts. Maybe instead of scanning one account for all possible good passwords, you just try lots of different accounts in the set of bad ones?

Remember, even the HBGary hacks, a security company, BOTH founder and CEO had 6 char, all lower case passwords with numbers at the end (or so the claim goes).

All that said, I am skeptical of dictionary attacks. More likely attacks, to my mind? Well, again back tot he HBGary hack... same password on multiple accounts anyone? I almost garauntee that you go to ANY forum on the net, including this one, post a link to a site you own, with some reason to register, and you will get a list of usernames and passwords that are probably valid on other sites.

Do it here, and the chances they work on mtgox.... well.... you get the picture.
error
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500



View Profile
March 06, 2011, 09:39:25 PM
 #161

I generate passwords with:

Code:
dd bs=32 count=1 if=/dev/random | sha256sum

Cheesy

3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
randomguy7
Hero Member
*****
Offline Offline

Activity: 528
Merit: 500


View Profile
March 06, 2011, 10:23:53 PM
 #162

I prefer pwgen -s 60 (less to type) Smiley
we6jbo
Jr. Member
*
Offline Offline

Activity: 42
Merit: 0



View Profile
March 07, 2011, 12:28:34 AM
 #163

This thread was quite an interesting read. One thing that seems to have become unnoticed is Liberty Reserve's part in the stolen Bitcoins. I think that in the case of large transactions like the ones that happened in this thread there really needs to be an obligation to check whether the Bitcoins are stolen or not. MtGox took the right approach to trace how the funds were stolen and where they went. In fact I think that if Liberty Reserve was not so quick to trade the Bitcoins into cash then there would have been a larger chance to catch the thief with the Bitcoins.

I think in the end all avenues need to be checked and not simply the ones that deal with password security or server security. Simply sweeping this problem under the rug isn't going to solve anything and when problems like these do happen they need to be documented in their fullest. This is the second time I've read a thread where a lot of money was stolen and I can only imagine this problem escalating as Bitcoin becomes more known to the general people and especially to those that do not take security seriously.
carp
Member
**
Offline Offline

Activity: 82
Merit: 10


View Profile
March 07, 2011, 02:48:06 PM
 #164

I generate passwords with:

Code:
dd bs=32 count=1 if=/dev/random | sha256sum

Cheesy

I started using mnemonics for passwords years ago. Take some phrase from a song, movie, or anything you like.... then make a string out of it. Something like "I started using mnemonics years ago"

Can become a string like:
I<um4PYA

Reduces the time it takes before I can type them from memory, and makes it much easier to recall them later, sometimes even years later.
error
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500



View Profile
March 07, 2011, 05:19:23 PM
 #165

Ah, but all of the password I generate are stored on my encrypted drive, and the drive password is, well, longer than my screen. That one I remember completely. Cheesy

3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
bitcoincop
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
March 22, 2011, 04:06:19 AM
 #166

So this all makes me wonder if there is a way to create a central database about fraudulent transactions, and associated addresses. Someone would make an entry into such a database and provide contact information or other community based details, perhaps sign them with a key that they use as a part of transactions on bitcoin-otc/IRC.  Then, when someone else who cares and receives a payment with these bitcoins from someone else, they can contact the original person to get details and perhaps deny the sender the goods/services they're trying to purchase with the stolen bitcoins.

Yes, it would take an outside database, and yes it would take a strong community with reputation and social trust, but it could be helpful.

One example of such a database for Laptops/computers is: http://www.stolencomputers.org/home.html

Access to a database for bitcoins would come as a plugin or add on for a user to install on their bitcoin server.

mndrix
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447
Merit: 250


View Profile
March 22, 2011, 06:25:53 PM
 #167

So this all makes me wonder if there is a way to create a central database about fraudulent transactions, and associated addresses.

It's nearly impossible to mark certain Bitcoins as stolen or dirty because they can be so easily laundered.  For example, send the stolen coins to an account at MyBitcoin.com, withdraw the coins to a new Bitcoin address.  The withdrawn coins are completely clean and other MyBitcoin.com users end up with the "dirty" coins.
carp
Member
**
Offline Offline

Activity: 82
Merit: 10


View Profile
March 22, 2011, 08:22:49 PM
 #168

So this all makes me wonder if there is a way to create a central database about fraudulent transactions, and associated addresses.

It's nearly impossible to mark certain Bitcoins as stolen or dirty because they can be so easily laundered.  For example, send the stolen coins to an account at MyBitcoin.com, withdraw the coins to a new Bitcoin address.  The withdrawn coins are completely clean and other MyBitcoin.com users end up with the "dirty" coins.

Though, realize if "bitcoincop" is a real "cop" then he may be thinking that is easy. Once you find one of those users, you question him, and when he tells you that he uses mybitcoin, then you go to mybitcoin and try to get them to release their records, afterall, they should be able to make the connection with the account that they were deposited into.

That said, if mybitcoin can be convinced (or compelled) to help, then this should be a trivial step. Of course, since you can access them as a location hidden service, and they require no real information to sign up, it could easily be a dead end too.... and that is before we even consider other possibilities.... like coin tumbler (or similar). Unless the thief was the only person using it at the time, and not particularly clever about it, simply going from one service like mybitcoin or mtgox to another, through coin tumbler with multiple addresses well... I hope you get the picture.

hell, I recall even seeing someone on Silk Road who was offering pre-laundered bitcoins for sale. They claim to do some sort of escrow, so its not even like that person could cheat and send back the same coins (not that it would be hard to determine, but as a scam, i bet would work most of the time) and wouldn't even know the buyers real name.... though, I guess if you were sure that he did it, again, its no better or worst than mybitcoin in terms of, you could at least ask him to help you pick the trail back up. (assuming that he keeps records)

Though, how you convince an anonymous people, running services intended to gaurd your anonymity, to voluntarily cooperate in compromising someones anonymity, even in an indeterminate way like this, is an open question. I guess its possible that accusations of thievery may sway them to help, but, they may want you to prove it before they are willing to help.

Afterall, its not like you can pull them into an interrogation room and get out the rubber hoses. That is, unless you can compromise their identities first.

eMansipater
Sr. Member
****
Offline Offline

Activity: 294
Merit: 250



View Profile WWW
March 22, 2011, 09:28:37 PM
 #169

Tracing bitcoins is basically the same as tracing cash:  if you catch the original person spending the cash directly you have them, otherwise the bills will just show up at banks after having been passed through multiple organisations with no way to track them.  A smart enough criminal can keep from getting caught after a cash heist, and similarly a smart enough criminal can keep from getting caught after a bitcoin heist.  Fortunately, many criminals are stupid and get caught anyways through some small slip-up.  Gaining expertise in the entire system and how to catch those tiny slipups will give law enforcement the same edge with regards to bitcoin that they have with cash.  Some criminals will get away, and some will get caught; expertise on the part of law enforcement will increase the proportion caught.

If you found my post helpful, feel free to send a small tip to 1QGukeKbBQbXHtV6LgkQa977LJ3YHXXW8B
Visit the BitCoin Q&A Site to ask questions or share knowledge.
0.009 BTC too confusing?  Use mBTC instead!  Details at www.em-bit.org or visit the project thread to help make Bitcoin prices more human-friendly.
Xiong Zhuang
Member
**
Offline Offline

Activity: 102
Merit: 10


View Profile
June 10, 2011, 11:08:15 AM
 #170

The same thing happened to me too. I login my account today and found I lost 42.9$ in my account, and I have no idea about the latest two trade in my trade history. I mean even my account is week, the hacker shouldn't know my username. Someone in the office must be leaking user's information.
mrb
Legendary
*
Offline Offline

Activity: 1470
Merit: 1006


View Profile WWW
June 20, 2011, 02:26:44 AM
 #171

Not a really good comparison since you'd have to have the hash of the password, and we could compile a rainbow table for almost anything. One way to defeat Rainbow tables is salting the password hashes (you are salting your passwords MtGox aren't you?) Cheesy

Now, we know that 1765 of the MtGox password hashes leaked today were not salted. :-(
Vladimir
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1000


-


View Profile
June 20, 2011, 03:24:09 AM
 #172

well... my mtgox password was ªç!¼:Üý\†€BZ*Š”TbŠòê  unique for this site, moreover I never sent them a single penny, bit or fiat.

Learn from the pros, kids.

I am still pissed off by finding my email in that damn list.

This mtgox biz and many other things which we are witnessing with bitcoin will be in history books.




-
Coinbuck @ BTCLot
Hero Member
*****
Offline Offline

Activity: 540
Merit: 500

The future begins today


View Profile WWW
June 20, 2011, 03:27:04 AM
 #173

well... my mtgox password was ªç!¼:Üý\†€BZ*Š”TbŠòê  unique for this site, moreover I never sent them a single penny, bit or fiat.

Learn from the pros, kids.

I am still pissed off by finding my email in that damn list.

This mtgox biz and many other things which we are witnessing with bitcoin will be in history books.





Same here, getting some really fucked up spam now.

Bitcoin is the future !
jatajuta
Sr. Member
****
Offline Offline

Activity: 365
Merit: 250



View Profile
June 20, 2011, 03:28:25 AM
 #174

This mtgox biz and many other things which we are witnessing with bitcoin will be in history books.

So true.

For security, your account has been locked. Email acctcomp15@theymos.e4ward.com
iCEBREAKER
Legendary
*
Offline Offline

Activity: 2002
Merit: 1043


Crypto is the separation of Power and State.


View Profile WWW
June 20, 2011, 03:40:50 AM
 #175

This mtgox biz and many other things which we are witnessing with bitcoin will be in history books.

History books?  Hell, I feel like I've been living inside a Bruce Sterling sci-fi novel for the last month.

Today topped them all, as an especially Islands-In-The-Net kind of day.  Damn those data pirates!

/wants razorgirl bodyguard


██████████
█████████████████
██████████████████████
█████████████████████████
████████████████████████████
████
████████████████████████
█████
███████████████████████████
█████
███████████████████████████
██████
████████████████████████████
██████
████████████████████████████
██████
████████████████████████████
██████
███████████████████████████
██████
██████████████████████████
█████
███████████████████████████
█████████████
██████████████
████████████████████████████
█████████████████████████
██████████████████████
█████████████████
██████████

Monero
"The difference between bad and well-developed digital cash will determine
whether we have a dictatorship or a real democracy." 
David Chaum 1996
"Fungibility provides privacy as a side effect."  Adam Back 2014
Buy and sell XMR near you
P2P Exchange Network
Buy XMR with fiat
S3052
Legendary
*
Offline Offline

Activity: 2100
Merit: 1000


View Profile
June 21, 2011, 04:52:45 PM
 #176

The same thing happened to me too. I login my account today and found I lost 42.9$ in my account, and I have no idea about the latest two trade in my trade history. I mean even my account is week, the hacker shouldn't know my username. Someone in the office must be leaking user's information.


How can you log into your MtGox account? I thought is is still closed?

imperi
Full Member
***
Offline Offline

Activity: 196
Merit: 100


View Profile
June 21, 2011, 04:54:37 PM
 #177

The same thing happened to me too. I login my account today and found I lost 42.9$ in my account, and I have no idea about the latest two trade in my trade history. I mean even my account is week, the hacker shouldn't know my username. Someone in the office must be leaking user's information.


How can you log into your MtGox account? I thought is is still closed?

HIS POST IS FROM JUNE 10.

you fail.
S3052
Legendary
*
Offline Offline

Activity: 2100
Merit: 1000


View Profile
June 21, 2011, 04:58:25 PM
 #178

mea culpa.

Pages: 1 2 3 4 5 6 7 8 9 [All]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!