We regret to inform you that there has been another huge breach of Bitcoinica. While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged. The breach today occured because the password for LastPass was in fact a duplicate password which had been compromised during the hack.
Unbeknownst to us, Tihan was using the mtgox api key as the password for a website called LastPass.
LastPass contains all your passwords. The username was email@example.com
. After the initial compromise, the sourcecode would have been tainted. But the password for LastPass was not changed.
The operators of Bitcoinica probably did not think to change it because they may have assumed that the LastPass password was not the same password as the MtGox API key. Such a flaw is a huge security breach. The original hacker could have compromised the funds on May 11th or any day thereafter.
Such security practices resulted in the initial theft. By the time we took over the claims process it was under information that the LastPass password was secure. This was infact supposed to be the secure way the new passwords were communicated.
This has resulted in the loss of one third of all the Bitcoinica money which has been stolen from MtGox. (40k BTC and 40K USD - the mtgox daily limits)
While the initial hacker had the ability to cause this breach it is likely that it was not taken advantage of until many users had access to the sourcecode in a recent leak:
genjix:~/tmp/bitcoinica_legacy/config/initializers$ cat mtgox_credentials.rb
MtGox.configure do |config|
config.key = "c02e1a27-5524-449f-ba65-aff9581ddedc"
config.secret = '83U1ROG++O3vwBqFrxpcdyLIoChpgnowImy1oMVQwBLalaLevZDmWeCPJFTrYW00OQ7XUgG53LsIL2pBZ2PQgA=='
Sourcecode download link: http://depositfiles.com/files/2p6zvadzs
The LastPass password was set to the semi-public api key, this is very similar to using the username for one site as the password on another.
Whoever is responsible for the latest theft used the MtGox API key as a password in LastPass hoping that simple security measures were not followed in the setting up of the LastPass. They gained access to MtGox. They transferred a third of the refund money, presumably to themselves. Bitcoinica has had at least 5 major security breaches since it's start. We had recommended that their codebase be entirely rewritten but were not aware of their security practices.
I'm starting to regret becoming embroiled with such a shoddy and badly secured site as Bitcoinica.Edit
: The API key was changed, but someone had a LastPass account with the same password as that, and was actively updating it with new passwords.
40k USD and 40k BTC were stolen (~350k USD).
For those who doubt we were not the GP, you can run 'git log' in the sourcecode. We had no responsibility to take on payments, but we did (and finalised the formation of Bitcoinica Consultancy to do so). The payments process was looking good, but now Patrick has walked away and I'm unsure what happens next. The sourcecode illustrates the magnitude of the problems involved with Bitcoinica (passwords all over the source, bad design, flawed code).
We were not privy to all the problems when taking on Bitcoinica. Zhou was being paid $8000 a month for operating Bitcoinica in his part time while Tihan was scrambling to get the site working. During the last month, Zhou was not taking pay, to refund the money stolen by the Linode compromise. Tihan was rushing to get the paperwork finished because Zhou is attending school. We kept sending the paperwork back saying it's incomplete and there's problems, so when the initial compromise happened, the company was not yet fully formed. The initial confusion was over who is responsible as the GP - the part time owner devoting maybe 5 hours a week? The new owners who had no experience operating the site? The middleman who acts on behalf of the owner and has no technical knowledge? That's why payments were initially complicated and delayed.
I will post another update once I know more. I'm guessing that payments will have to take a forced 30% cut. This has cost everyone a lot of money, time and stress dealing with this mess. We are actively losing money from dealing with the payouts.Update:
here's the facts from my point of view:
- Patrick quit.
- Zhou quit.
- Tihan was fired, and no longer acting on behalf of Bitcoinica LP.
- Bitcoinica Consultancy were the new operators coming onboard, and the company was formed after the compromise to facilitate payments out.
- Bitcoinica LP is the owner.
The payments process is at a deadlock. Technically when a company is in debt, and cannot pay off its debtors in full, it hands the process to the government (called receivership
). Bitcoinica LP would have to make a police report, and hand over the payments process as the owners.
That's it basically. Just a standstill.
has anyone been paid out after the latest mtgox theft?
No.Update 19th July:
payments are still stuck at 38%. Considering that those are 50% payouts, that means a good 76% of the claims. That's not 76% of claimants, but 76% of the total funds.
However given that nobody is doing anything, I've been talking with some of the people with large claims. They've proposed helping take over the process with me. I suppose we need to get written consent that Bitcoinica Consultancy doesn't exist or that if it does that the members resign. This allows Bitcoinica LP to take over and hand the payouts process to us. Technically Bitcoinica LP owns the assets.