Friday, August 5th, 2011SECURITY BREACH DISCLOSURE
From the desk of Tom Williams, operator of MyBitcoin.com
For immediate release.
After careful analysis of the intrusion we have concluded that the software that waited for Bitcoin confirmations was far too lenient. An unknown attacker was able to forge Bitcoin deposits via the Shopping Cart Interface (SCI) and withdraw confirmed/older Bitcoins. This led to a slow trickle of theft that went unnoticed for a few days. Luckily, we do keep a percentage of the holdings in cold storage so the attackers didn’t completely clean us out. Just to clarify, we weren’t “fully” hacked aka “rooted”. You can still trust our PGP, SSL, and Tor public keys.
It appears to be human error combined with a misunderstanding of how Bitcoin secures transactions into the next block. Our programmer was under the assumption that one block was good enough to secure a transaction. Two years ago when the software was written, this single confirm myth was a popular belief.
In hindsight we should have credited deposits after one confirmation so they would show up in the transaction history, and held the deposit until it reached at least 3 confirmations. Keeping track of two balances and displaying them in the login area would have been trivial.CLAIM PROCESS DISCLOSURE
We are in the process of building a claim procedure for the remainder of the holdings now. We expect that we will have it online soon.
The claim process will consist of a online form where the claimant will be required to enter their MyBitcoin username and password. Their balance will be displayed along with the percentage of remaining Bitcoins that we still have in our holdings. That percentage will be paid to a Bitcoin address of their choosing. This percentage will be based on our current total liabilities vs. our existing assets. We will disclose these figures as soon as they have been totaled.
Each online claim will be written to a ledger and will be manually approved within 48 hours of being filed online. We have decided to have a manual claim approval process for better security. The last thing we all need right now is for someone to breach the claim form. We are confident clients will find this satisfactory.RECEIVERSHIP
After some research and careful consideration regarding the appointment of a receiver we have concluded that it would be very costly and slow.
Also, finding a receiver that even understands what a Bitcoin is or how to handle the claim process online would be troublesome, and would only end up in increasing our costs. Receivers are typically paid from the remaining assets and we’d like to maximize the amount that we can disperse to our clients.
We have been trying to figure out a way to appoint a 3rd party to certify the asset/liability figures, but there are many risks involved. It would involve having us trust some unknown agent that could possibly just steal the rest of the holdings out from under us. Or, we could be accused of bribing the 3rd party to agree with our figures, and on and on. Trust is a real problem with an anonymous and irrevocable currency.
It is true that we could disclose all of the Bitcoin payment addresses we manage and let everyone look them up and track the lineage of the coins. This is also troublesome due to the way that we defragment small payments to keep the processing engine speedy. Also there are the moral implications of disclosing our client’s finances. We are sure that, unknowingly to us, that our processing system has been used for nefarious purposes.A GIFT TO THE COMMUNITY
After the claims have all been filed and dealt with we will be releasing the entire MyBitcoin processing engine into the public domain. Our only hope is that the community can improve and adapt the software to all sorts of new and interesting Bitcoin-related things.