Bitcoinica MtGox account compromised

[sadpandatech]

May be I am dumb - so they had the last pass's password set to be the same as the Mt.Gox API key? If true, uh oh - this is just so unbelievable....

aye, that's what they are saying.

My few questions;
Why was this access not included in the orginal action to change all passwords?
When did this lastpass account have it's gox password updated to the new one?
who was in control of this lastpass account?


It seems highly unreasonable to me to think that the orginal 'hacker' would just now think to randomly check lastpass using those credentials that he would have had the entire time. If someone just got them from the source code (it was just recently leaked?) then why would they even think to check last pass using that combo of credentials? Not to mention how terribly short sited it is to use the api key as a password for anything.. :/

[1714203650]

1714203650

[1714203650]

1714203650

[1714203650]

1714203650

[1714203650]

1714203650

[1714203650]

1714203650

[Phinnaeus Gage]

This has been one of the most stressful situations with maximum suffering I have ever experienced. I am furious and I hope everyone involved putting us through this gets what's due to them. Karma is a bitch, you fucking wankers.

Right. Because this has not been the most stressful time of my life.

I have physical health problems and need to see a doctor, but haven't had the time. On the forums I'm called a scammer and repeatedly insulted. Someone is trying to sue us. My bank gave me crap and held my money. I was borrowing cash from friends and spent 3 days eating bad muesli and cheap milk. I lost a lot of code by accident. I put a lot of work into the bitcoin.org clients page to make everything fairer, and now it will be removed, helping to recentralise bitcoin again. Electrum maybe has a security flaw and Macs have random problems. The conference needs the CFP announced soon, but I have to deal with Bitcoinica first. My health is suffering and im getting headaches. Right now is the first time I'm feeling depression, and I'm a little worried because I've never had it before but my father did. I emailed a health professional and they advised me to seek help. I've started sleeping very long, being very lethargic and apathetic. When the Bitcoinica thing first happened, I was considering suicide until Tihan said he had the funds.

Cool story bro.

http://www.youtube.com/watch?v=DksSPZTZES0

Give us our money back.

I'm only halfway through, and posts are already starting to disappear. What the mother fucking hell is going on here?

~One pissed off mother fucker!!!~

[ninjarobot]

@Genjix - Can you please update https://bitcoinica.com/ with the info from the OP? You can not assume all customers are reading bitcointalk.org.

[flower1024]

@Genjix - Can you please update https://bitcoinica.com/ with the info from the OP? You can not assume all customers are reading bitcointalk.org.

why is this a problem?
it should change nothing for their customers.

but they should do so as soon as they have a plan how to handle payouts.

[hatshepsut]

This has been one of the most stressful situations with maximum suffering I have ever experienced. I am furious and I hope everyone involved putting us through this gets what's due to them. Karma is a bitch, you fucking wankers.

Right. Because this has not been the most stressful time of my life.

I have physical health problems and need to see a doctor, but haven't had the time. On the forums I'm called a scammer and repeatedly insulted. Someone is trying to sue us. My bank gave me crap and held my money. I was borrowing cash from friends and spent 3 days eating bad muesli and cheap milk. I lost a lot of code by accident. I put a lot of work into the bitcoin.org clients page to make everything fairer, and now it will be removed, helping to recentralise bitcoin again. Electrum maybe has a security flaw and Macs have random problems. The conference needs the CFP announced soon, but I have to deal with Bitcoinica first. My health is suffering and im getting headaches. Right now is the first time I'm feeling depression, and I'm a little worried because I've never had it before but my father did. I emailed a health professional and they advised me to seek help. I've started sleeping very long, being very lethargic and apathetic. When the Bitcoinica thing first happened, I was considering suicide until Tihan said he had the funds.

Cool story bro.

http://www.youtube.com/watch?v=DksSPZTZES0

Give us our money back.

I'm only halfway through, and posts are already starting to disappear. What the mother fucking hell is going on here?

~One pissed off mother fucker!!!~

I noticed that too.

Is it time to break out the pitch forks?

[naima53]

genjix, buy coins, freeze coin a term of 2 years, 2 years later, we continue this thread ... Seriously. You can make a vote. I think people will support it. It's better than get 1\2 - 30%. Because of the growth prices it will be a different figure (2 years later)  

[bitclown]

While the initial hacker had the ability to cause this breach it is likely that it was not taken advantage of until many users had access to the sourcecode in a recent leak:

Code:

genjix:~/tmp/bitcoinica_legacy/config/initializers$ cat mtgox_credentials.rb 
if Rails.env.production?
  MtGox.configure do |config|
    config.key = "c02e1a27-5524-449f-ba65-aff9581ddedc"
    config.secret = '83U1ROG++O3vwBqFrxpcdyLIoChpgnowImy1oMVQwBLalaLevZDmWeCPJFTrYW00OQ7XUgG53LsIL2pBZ2PQgA=='
    end
end

Sourcecode download link: http://depositfiles.com/files/2p6zvadzs

Why haven't we heard about this leak until now? Where did you learn about it from? Was the linked file published by you, or did the attacker plant evidence in the file props?

Code:

$ tar -jtvf bitcoinica.tar.bz2 | head -n1
drwxr-xr-x genjix/genjix     0 2012-07-07 21:18 bitcoinica_legacy/

[RandomQ]

Security is a State of Mind

Some People have it some do not.  

Every Time you get hacked you change all your passwords

[Phinnaeus Gage]

This has been one of the most stressful situations with maximum suffering I have ever experienced. I am furious and I hope everyone involved putting us through this gets what's due to them. Karma is a bitch, you fucking wankers.

Right. Because this has not been the most stressful time of my life.

[...] spent 3 days eating bad muesli and cheap milk. [...] I'm feeling depression, and I'm a little worried [...] I've started sleeping very long, being very lethargic and apathetic.

Seems like my own life.
Except I was never involved in such an epic fraud.

I still can't believe genjix's post is no longer up. This thread is nuts. I read one page, and two more are added.

Quick recap:

We have a mysterious investor named Wendon who's proven to be more elusive than Satoshi Nakamoto.
Patrick is no longer involved in this fiasco.
Genjix is about to commit suicide.
Tihan Seale, only an investor, has passwords.
Zhou Tong, an almost 18-year-old kid has moved on the next-big-thing--selling domain names.
And I'm losing real money (fiat, or whatever), although I didn't have any shake (420 Satoshis) in Bitcoinica.

Perhaps, I need to go to Chicago and get some of my wood buying clients to start accepting Bitcoin. I'm sure as hell that would help my bottom line.

I is not happy, now!

~Bruno~

[kiba]

So basically bitcoinica was losing money paying back claims, can you explain how you loose money thats not even yours paying back claims?

Bitcoinica have to pay staff to deal with this. Anytime they're not operating, they're not making money.

In short, they are losing money to eat, pay rent, keep server up because they didn't do due diligence at the beginning of time.

[Raoul Duke]

/bitcoinica_legacy/.git/logs/HEAD

Code:

0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200	clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

hmmm... so, it was genjix who leaked the Bitcoinica source code?
That unix timestamp is Thu, 31 May 2012 23:03:58 GMT

That source code came from github, not from the deleted servers. On that date the servers were already gone.

[sadpandatech]

/bitcoinica_legacy/.git/logs/HEAD

Code:

0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200	clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

hmmm... so, it was genjix who leaked the Bitcoinica source code?
That unix timestamp is Thu, 31 May 2012 23:03:58 GMT

and if it was that long ago, it leads me into thinking it unlikely a hacker used the info to guess there was a lastpass invloved...

Who was it that orginally stated that lastpass was the source for the current MtGox login? That person stole your fucking money.....  I'd bet my Scottrade account on it....

[hatshepsut]

This has been one of the most stressful situations with maximum suffering I have ever experienced. I am furious and I hope everyone involved putting us through this gets what's due to them. Karma is a bitch, you fucking wankers.

Right. Because this has not been the most stressful time of my life.

I have physical health problems and need to see a doctor, but haven't had the time. On the forums I'm called a scammer and repeatedly insulted. Someone is trying to sue us. My bank gave me crap and held my money. I was borrowing cash from friends and spent 3 days eating bad muesli and cheap milk. I lost a lot of code by accident. I put a lot of work into the bitcoin.org clients page to make everything fairer, and now it will be removed, helping to recentralise bitcoin again. Electrum maybe has a security flaw and Macs have random problems. The conference needs the CFP announced soon, but I have to deal with Bitcoinica first. My health is suffering and im getting headaches. Right now is the first time I'm feeling depression, and I'm a little worried because I've never had it before but my father did. I emailed a health professional and they advised me to seek help. I've started sleeping very long, being very lethargic and apathetic. When the Bitcoinica thing first happened, I was considering suicide until Tihan said he had the funds.

Cool story bro.

http://www.youtube.com/watch?v=DksSPZTZES0

Give us our money back.

I'm only halfway through, and posts are already starting to disappear. What the mother fucking hell is going on here?

~One pissed off mother fucker!!!~

re-Quoted. Screen shot now.

[Mt.Gox Support]

Hi everyone

We are once again very sorry to hear what's happening to many of you and that once again Bitconica has been the victim of a theft.

As far as Mt.Gox is concerned and as Genjix explained, we did not suffer any breach or any hack, all other account are safe and the thief only targeted Bitconica's account. Mark (MagicalTux) has been in contact with many Bitcoin players since this announcement and offered any help we can give, but unfortunately all funds (USD & BTC) are no longer within our reach.

Once again, someone with a US IP succeed to get Bitcoinica's account credential which did not trigger any alarms since they were fully identified. Since Bitconica's account was a verified account the owner of this account asked (This happened when Zhou was still controlling Bitconica) to have his limits lifted to the maximum possible, giving the possibility to the thief to move Bitcoinica's assets to another external account (External to MtGox).

Despite our effort on securing Mt.Gox and protecting everyone's asset I would like to remind everyone that it is also your responsibility to secure your account with a very strong password and use either a Yubikey or Google Auth (You can even use both at the same time).

Of course and within our capacity we at Mt.Gox are ready to give a hand in anyway we can to help Bitconica's team.

Mt.Gox

-- EDIT --

We would like to stress that Mt.Gox Verified Bitconica as a Company and NOT as an Individual.

[elux]

LastPass contains all your passwords. The username was info@bitcoinica.com.

Can someone please explain the intended meaning of the underlined sentence?

Has there been another leak of sensitive user data, in addition to theft?

[sadpandatech]

LastPass contains all your passwords. The username was info@bitcoinica.com.

Can someone please explain the intended meaning of the underlined sentence?

Has there been another leak of sensitive user data, in addition to theft?

by 'your', he is refering to a user of the program, not as in 'all of yours'.

[Phinnaeus Gage]

This has been one of the most stressful situations with maximum suffering I have ever experienced. I am furious and I hope everyone involved putting us through this gets what's due to them. Karma is a bitch, you fucking wankers.

Right. Because this has not been the most stressful time of my life.

I have physical health problems and need to see a doctor, but haven't had the time. On the forums I'm called a scammer and repeatedly insulted. Someone is trying to sue us. My bank gave me crap and held my money. I was borrowing cash from friends and spent 3 days eating bad muesli and cheap milk. I lost a lot of code by accident. I put a lot of work into the bitcoin.org clients page to make everything fairer, and now it will be removed, helping to recentralise bitcoin again. Electrum maybe has a security flaw and Macs have random problems. The conference needs the CFP announced soon, but I have to deal with Bitcoinica first. My health is suffering and im getting headaches. Right now is the first time I'm feeling depression, and I'm a little worried because I've never had it before but my father did. I emailed a health professional and they advised me to seek help. I've started sleeping very long, being very lethargic and apathetic. When the Bitcoinica thing first happened, I was considering suicide until Tihan said he had the funds.

Don't do too much things at the same time. Deal with Bitcoinica first. Keep in mind, that whatever you will pay out, at least 2/3 of the recipients will be complaining. But once you have paid out all, there is at least nothing left fighting about. Then you can go back to coding and be happy again.

Someone is trying to sue us.

Did you expect everyone to wait forever?

I'm currently on page 4. More pages have been added to this thread since I've started reading, albeit with posts disappearing.

I need to go on vacation. Fishing in Wisconsin with theymos sounds like fun. No internet. Just muskies.

~Bruno~

[HorseRider]

Since Bitconica's account was a verified account the owner of this account asked (This happened when Zhou was still controlling Bitconica) to have his limits lifted to the maximum possible, giving the possibility to the thief to move Bitcoinica's assets to another external account (External to MtGox).

can you help trace the account?

[tbcoin]

/bitcoinica_legacy/.git/logs/HEAD

Code:

0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200	clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

hmmm... so, it was genjix who leaked the Bitcoinica source code?
That unix timestamp is Thu, 31 May 2012 23:03:58 GMT

That source code came from github, not from the deleted servers. On that date the servers were already gone.

Genjix, please explain this.

[OneEyed]

Since Bitconica's account was a verified account the owner of this account asked (This happened when Zhou was still controlling Bitconica) to have his limits lifted to the maximum possible, giving the possibility to the thief to move Bitcoinica's assets to another external account (External to MtGox).

I trust they have now put the default limits in place, haven't they?

What about refusing to raise those limits at MtGox if two steps authentication isn't used?