Bitcoinica MtGox account compromised

[kiba]

You are right. It's too complicated. And that's why it has to be more in the direction of the second sentence above. I really can't believe all the hacker stories, sorry. Just doesn't get into my head.

A successful hack attempt is the simplest story and have the strongest evidence thus far. All the other hypothesis don't have much evidence and is more complicated to attempt.

[1714204249]

1714204249

[1714204249]

1714204249

[1714204249]

1714204249

[1714204249]

1714204249

[LoupGaroux]

How about a public demand for any settled assets be pooled for a proportional payment to all claimants (except Maria!)? That's what a Court would order if this does actually go into any kind of receivership, especially since certain privileged friends were paid in full while others were being lied to.

Sorry boys, but quitting does not absolve you of your liability for this criminal act- each and every one of you, Zhou, Patrick, Tihan et al. remain jointly and severally liable for the debt which you took on, especially since you chose to take it on under an apparently fraudulent basis considering your filings with the New Zealand government. Saying you got voted off the island does not remove the stain of criminal actions, and I hope each one of you is apprehended, charged and tried for the massive fraud that you have committed. Bitcoin has suffered immensely at the hands of your premeditated acts of criminal diversion of funds, and the on-going lies and misdirection that you have subjected this community to. I hope the victims are filing charges against you right now, and I look forward to hearing how your little investment group gets it's nuts torn off by the police in whatever jurisdiction you are hiding in.

Scumbags all.

[kiba]

Sorry boys, but quitting does not absolve you of your liability for this criminal act- each and every one of you, Zhou, Patrick, Tihan et al. remain jointly and severally liable for the debt which you took on, especially since you chose to take it on under an apparently fraudulent basis considering your filings with the New Zealand government. Saying you got voted off the island does not remove the stain of criminal actions, and I hope each one of you is apprehended, charged and tried for the massive fraud that you have committed.

That is your opinion. Care to back it up with facts?

Bitcoin has suffered immensely at the hands of your premeditated acts of criminal diversion of funds, and the on-going lies and misdirection that you have subjected this community to. I hope the victims are filing charges against you right now, and I look forward to hearing how your little investment group gets it's nuts torn off by the police in whatever jurisdiction you are hiding in.

Scumbags all.

Unless you have evidence that this a premeditated theft and knowledge there is on-going lies and misdirection by bitcoinica team members, it have no basis.

[Bitcoin Oz]

This still hasnt been reported to the cops ?

[kiba]

This still hasnt been reported to the cops ?

MtGox filed a police report, but would not details what they know until investigation is over. Bitcoinica are probably talking to their lawyers about what they should do.

[zhoutong]

Sorry boys, but quitting does not absolve you of your liability for this criminal act- each and every one of you, Zhou, Patrick, Tihan et al. remain jointly and severally liable for the debt which you took on, especially since you chose to take it on under an apparently fraudulent basis considering your filings with the New Zealand government.

Please, I haven't signed anything about Bitcoinica since the end of 2011.

I have never signed on any New Zealand document.

And I have never signed any document with the name "Patrick" in it.

I quit because the pre-requesite I set has been met - Bitcoinica pays back 50% of all available funds, which is true after the Mt. Gox account hack. I'm a claimant too. Bitcoinica owes me $350 in USD account balance, and about $780 in the bills. I even have to cancel two of my credit cards because I don't have the access to the accounts that keep charging me every month.

[repentance]

How about a public demand for any settled assets be pooled for a proportional payment to all claimants (except Maria!)? That's what a Court would order if this does actually go into any kind of receivership, especially since certain privileged friends were paid in full while others were being lied to.

A court would order the Official Assignee to take control of the assets of the business and liquidate them, period.  The manner in which the liquidated assets must be distributed is laid down by law and unsecured creditors are actually at the bottom of that list.

Until otherwise established by a court ruling, Bitcoinica LP is the only entity responsible for returning user funds.  Any legal action to make people liable at an individual level hasn't yet taken place, may be quite pointless to pursue and would not necessarily succeed.

[kiba]

Please, I haven't signed anything about Bitcoinica since the end of 2011.

The hacker is anonymous, so they're going to blame identifiable individuals, even if the evidence is sorely lacking.

Any time a hacking fiasco happens, it basically turns into a witchhunt, because people feel extremely powerless.

[MrTeal]

Hi, you misunderstood me. I was talking about mtgox, not LastPass.

There would be no need to log in multiple times to MtGox. From what Genjix claimed, the thief hacked into their LastPass account, which had the new MtGox password stored within. It's the hacking into LastPass that would require guessing the password correctly within 5 attempts.

We regret to inform you that there has been another huge breach of Bitcoinica. While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged. The breach today occured because the password for LastPass was in fact a duplicate password which had been compromised during the hack.

Unbeknownst to us, Tihan was using the mtgox api key as the password for a website called LastPass.

LastPass contains all your passwords. The username was info@bitcoinica.com. After the initial compromise, the sourcecode would have been tainted. But the password for LastPass was not changed.

Even if it was the original hacker, according to genjix the LastPass PW was not compromised. The password was the MtGox API key and that key was stored in the source that the Rackspace hacker would have had access to, but how likely is it that if you had 5 guesses you would choose an API key buried in the source vs attempting one of the other passwords that you did compromised to see if it was a duplicate of those?

[repentance]

Even if it was the original hacker, according to genjix the LastPass PW was not compromised. The password was the MtGox API key and that key was stored in the source that the Rackspace hacker would have had access to, but how likely is it that if you had 5 guesses you would choose an API key buried in the source vs attempting one of the other passwords that you did compromised to see if it was a duplicate of those?

Which is what most people assume they did.  You get 5 attempts before it locks you out for 5 minutes and sends an email.  If the list of compromised passwords the hacker had wasn't especially long, then they didn't have a lot to lose by trying the duplicates - if one of them was right, there was every chance they'd be into the LastPass account before anyone read the email.

Any time a hacking fiasco happens, it basically turns into a witchhunt, because people feel extremely powerless.

This is equally true when conventional companies go out of business.

[Bitcoin Oz]

This still hasnt been reported to the cops ?

MtGox filed a police report, but would not details what they know until investigation is over. Bitcoinica are probably talking to their lawyers about what they should do.

You need to speak to lawyers first when you get stolen from ?

[greyhawk]

This still hasnt been reported to the cops ?

MtGox filed a police report, but would not details what they know until investigation is over. Bitcoinica are probably talking to their lawyers about what they should do.

You need to speak to lawyers first when you get stolen from ?

If you're a criminal organization, then yes, it would be advisable.

[zhoutong]

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!

And LastPass didn't log the IP that reverted the master password. It's so weird.

07/12/2012 22:17:04
LastPass.com
 
67.188.9.35
Master Password Changed
07/17/2012 08:30:52
LastPass.com
 
0.0.0.0
Master Password Reverted

[repentance]

You need to speak to lawyers first when you get stolen from ?

When a non-trivial amount of your users have likely been using your service to commit financial offences, then you sure as shit want to be consulting your lawyers when deciding how to proceed after a theft.

07/12/2012 22:17:04
LastPass.com
 
67.188.9.35
Master Password Changed
07/17/2012 08:30:52
LastPass.com
 
0.0.0.0
Master Password Reverted

Was the 12 July master password change after the hack (hack was announced on 13 July)?

It's concerning that anyone would revert the password.

[elux]

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!

And LastPass didn't log the IP that reverted the master password. It's so weird.

What. The. Hell.

[BitBuster]

I may have my facts wrong on some of this, so (those who actually know) please feel free to correct me?

1. Why did the hacker make a cash withdrawal? This supposedly gives Mt. Gox the account details of where the money was sent? If he/she were smart, they'd surely try to buy up as much bitcoin as possible then transfer the lot out of Mt. Gox and into an outside bitcoin address? Surely its worth maintaining anonimity and reducing the risk of being caught for the sake of not being able to take the whole $40k?

2. Keyrings like LastPass are great for fools who refuse to take responsibility for their own data/account security. But for a programmer or system administrator to provide one attack vector (externally sourced, no less!) that gives access to all parts of the system isn't just negligent, its deliberate and wilful.

3. Understanding that the API key was used as a password temporarily by someone who isn't normally involved in such matters, may be forgivable. However, this being brought to the attention of those in charge of technical operations and it not being resolved immediately is laughable.

In relation to 2 and 3; either the person/people responsible are clearly without the faculties to run such an operation, or they do have the technical sense to know that these flaws were critical and were either complicit or wilfully negligent.

Its clear from reading the email transcripts that competition with other exchanges and profitability were driving factors in whatever arrangements were being made regarding ownership. Regardless of this strong incentive not to suspend Bitcoinica's operation, those in charge should have done so as soon as they discovered these open barn doors and worked on shutting them before resuming.

What I find most troubling is that despite (according to the email transcripts) the Intersango / Bitcoin Consultancy trio knowing about these issues before they were exploited and therefore being absolutely culpable, people still seem to trust them enough to be trading on Intersango still?! If they were willing to leave holes unfilled for the sake of profit continuity at Bitcoinica, how can it be concluded that the same isn't true for Intersango?

My honest feeling is that the bitcoin community is blessed with technical talent. Unfortunately many appear to be straying far from their own skill sets and wasting other people's money while they learn new ones.


BB.

[zhoutong]

Was the 12 July master password change after the hack (hack was announced on 13 July)?

It's concerning that anyone would revert the password.

It should be. I can't answer with definite answers because I didn't change it.

It's concerning because an email account with admin rights of the entire Google Apps domain and also the domain name itself is stored in LastPass. The hacker can easily remove any critical email notifications by changing the settings of the mailing list info@bitcoinica.com.

[kiba]

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!

And LastPass didn't log the IP that reverted the master password. It's so weird.

From my understanding, it doesn't matter if the hacker didn't log into a LastPass account. That's because API key is the same password for a MtGox account.

[kiba]

If you're a criminal organization, then yes, it would be advisable.

Nay, if you got any common sense, you talk to your lawyers, period.

[ChrisKoss]

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!