Slashdot Mirror
Bitcoin Price Crashes
Beardydog writes "Bitcoin trading site MtGox.com has suspended operations for the rest of the day after illicit access to at least one account resulted in a steep drop in the price of Bitcoins on the site. Commenters to the support page for the event are reporting that a list of usernames and associated email addresses and password hashes have been posted online. MtGox are currently planning to roll back all of the day's trading, email notices to all affected users, and require replacement passwords for affected accounts."
Found this on the Internet: http://pastebin.com/hN7PxRhc
These are trades are done on a firm's website, with US$ and BTC balances stored on it. It's totally out of the hands of the bitcoin system except for deposits to (and withdrawls from) accounts on the site.
The only thing I can think of is that they are rolling back transactions which haven't settled yet (settlement=delivery). Because once they bitcoins held in a MtGox account have been transferred out to your bitcoin wallet, they can't get it back. But while they are still held in MtGox account, the actual owner of the coins is MtGox (much like your brokerage is the actual owner of your monkey while you have money deposited with the brokerage).
Any guest worker system is indistinguishable from indentured servitude.
"Mt. Gox", the main Bitcoin exchange, was originally "Magic the Gathering Online Exchange". Nobody really knows who runs "Mt. Gox"; it appears to be one person in Tokyo who's only reachable via email and IRC. (He must be having a terrible night; this all happened around 3AM in Japan.) It's not like there's some real financial institution, or even a funded start-up, behind this. Most, if not all, of the Bitcoin "exchanges" and "exchangers" are somewhat flaky entities. Bitcoin's ecosystem is financially very weak.
Understand that Mt. Gox is not just an exchange. It's a depository institution, like a bank. Customers have balances, in Bitcoins and other currencies, with Mt. Gox. But Mt. Gox is not regulated or audited as a bank or a brokerage, even though it holds other people's money. Accounts are uninsured.
This matters when something goes wrong and somebody gets stuck with losses. Mt. Gox claims they're going to "roll back" transactions to before the theft. But some of the money is already gone, transferred out before Mt. Gox shut down. Mt. Gox is going to have to eat some of those losses if they do a rollback. Do they have the cash? Nobody knows. They're not audited by anybody.
As for the security breach, not only is the entire file of usernames, email addresses, and encrypted passwords now widely available, so are the unencrypted passwords cracked so far. (One wonders why whomever stole the password file published it, but it may have to do with their needing help from others to crack the passwords.) As a result, TradeHill, another Bitcoin exchange based in Chile, has shut down, to avoid attacks using passwords obtained from Mt. Gox. Right now, there's no way to turn Bitcoins into dollars. (Euros, yes; right now the going rate is EUR11.51/BTC. But that market is very thin.)
Whether or not BItcoins are a good idea, the market ecosystem behind them is far too flaky.
Rolling the transactions back is a huger blow to that interesting experiment, and basically undermines the attempt to get bitcoins accepted as a form of currency.
Trades on the exchange do not impact the Bitcoin blockchain (transaction history) directly, in the exact same way as money is not directly transferred to/from your bank when you trade. Any market event is buffered into the virtual accounts that traders hold with Mt.gox, while the actual bitcoins are in Mt.gox's wallet and the actual dollars are in Mt.gox's bank account. You need to specifically request a transfer to get either money or bitcoins out of the system.
So the event is in no way relevant for Bitcoin. It's just a bad case of unsanitized inputs.
I have an Mt.Gox account but have never actually used it for anything. I received the following e-mail earlier today.
Gmail also flagged suspicious failed login attempts on my e-mail account, so I had to go through a password reset process on it. Although I used a unique password at Mt.Gox, the attacker apparently is running automated login attempts using the stolen e-mail addresses and Mt.Gox passwords, so anyone using non-unique passwords is likely in trouble.
So much as it is a MTGox story.
About a week ago the first rumors of MtGox being compromised by a SQL injection exploit began to circulate.
Here's one of the original claims from someone calling themselves Buttsec from June 14th. Others which I'm too lazy to dig up were more specific and named MtGox explictly:
http://pastebin.com/4NPemHfz
On that very same day, MTGox implemented a $1000 dollar withdrawal limit. Suspicious, right? For the past 3 days, there have been offers to sell MTGox's database of usernames and password hashes. Here's an example:
http://pastebin.com/ui0nusuZ
Today, there is this:
http://pastebin.com/hN7PxRhc
http://pastebin.com/w06pa2mB (there are many of these, the first link gives you the urls if you want to see them all)
This confirms MTGox was indeed hacked. One of the hackers offering to sell this database that came out today had even specifically mentioned that the hole he had used was CLOSED by MTGox a couple of days ago. Today, FINALLY, MTGox admits they were hacked and has sent out emails to all their users. Here is a copy:
http://pastebin.com/9Cx94wzs
In light of all of the evidence (more of which I'm sure you can find on your own), I find it very hard to believe that MtGox was not aware they had been hacked, and yet they've been denying it and operating normally (aside from the newly added withdrawal limit, which they even boast about in the linked press release). In fact, I found one reddit page of many where MtGox users were complaining there accounts had been compromised (There have been many over the past week) and the employee flat out denies that they have ANY reason to suspect they've been compromised:
Here's one such complaint among many: http://www.reddit.com/r/Bitcoin/comments/i17jd/i_just_got_ripped_off_on_mtgox/
And here's one with an employee denial: http://www.reddit.com/r/Bitcoin/comments/i2dkn/mt_gox_has_some_serious_issues/
Here's all that (purported) employees posts: http://www.reddit.com/user/MtGox_Adam
Long story short: For the last week (5 days at least), I've been wondering if MtGox had been truly hacked or if someone was just trying to depress the price of bitcoins by spreading rumors. Today I don't have to wonder anymore. What I do have to wonder about is why has MtGox kept silent for the past week when ALL indications were that they KNEW. They fixed the hole, added the withdrawal limit, and yet kept on denying they had an issue when dozens of users complained of account compromises. Rather than admit the issue and try to have it fixed, they apparently tried to keep it a secret. How can we trust any company that handles security issues in this manner?
other USD exchanges are still running fine.
From Bitcoin.org's market table:
Look at those tiny volumes. Total volume for all the little guys is under 0.1% of Mt. Gox, which was trading over 200,000 bitcoins per day. With Mt. Gox and TradeHill off-line, the market is dead. None of those little guys have any significant buyers available.
It wasn't until bitcoin that I understood the point of constant inflation: it makes credit feasible. You can only borrow safely if you can be almost certain money won't increase in relative value in the future, and to make a borrower feel truly safe currency value should have a near certainty of decreasing somewhat. With significant deflation a possibility you can't even take out a car loan without simultaneously risking indentured servitude; it would be insane to take home or business loans, and I don't mean figuratively insane, either.
Good points, I'd like to add that this isn't just a theoretical worry. In the 1800s, the dollar was hit with very high year to year deflation or inflation (despite basically no long term inflation). Farmers at the time would often take out loans to buy seeds and then pay them back once they sold their produce the following year. Many went bankrupt when deflation made their crops sell for 30+% less than expected but left the terms of the loan unchanged.
Say what you will about the Federal Reserve, they have kept the dollar remarkably stable in terms of inflation and deflation compared to what came before.