Slashdot Mirror
Bitcoin Price Crashes
Beardydog writes "Bitcoin trading site MtGox.com has suspended operations for the rest of the day after illicit access to at least one account resulted in a steep drop in the price of Bitcoins on the site. Commenters to the support page for the event are reporting that a list of usernames and associated email addresses and password hashes have been posted online. MtGox are currently planning to roll back all of the day's trading, email notices to all affected users, and require replacement passwords for affected accounts."
These are trades are done on a firm's website, with US$ and BTC balances stored on it. It's totally out of the hands of the bitcoin system except for deposits to (and withdrawls from) accounts on the site.
I have an Mt.Gox account but have never actually used it for anything. I received the following e-mail earlier today.
Gmail also flagged suspicious failed login attempts on my e-mail account, so I had to go through a password reset process on it. Although I used a unique password at Mt.Gox, the attacker apparently is running automated login attempts using the stolen e-mail addresses and Mt.Gox passwords, so anyone using non-unique passwords is likely in trouble.
So much as it is a MTGox story.
About a week ago the first rumors of MtGox being compromised by a SQL injection exploit began to circulate.
Here's one of the original claims from someone calling themselves Buttsec from June 14th. Others which I'm too lazy to dig up were more specific and named MtGox explictly:
http://pastebin.com/4NPemHfz
On that very same day, MTGox implemented a $1000 dollar withdrawal limit. Suspicious, right? For the past 3 days, there have been offers to sell MTGox's database of usernames and password hashes. Here's an example:
http://pastebin.com/ui0nusuZ
Today, there is this:
http://pastebin.com/hN7PxRhc
http://pastebin.com/w06pa2mB (there are many of these, the first link gives you the urls if you want to see them all)
This confirms MTGox was indeed hacked. One of the hackers offering to sell this database that came out today had even specifically mentioned that the hole he had used was CLOSED by MTGox a couple of days ago. Today, FINALLY, MTGox admits they were hacked and has sent out emails to all their users. Here is a copy:
http://pastebin.com/9Cx94wzs
In light of all of the evidence (more of which I'm sure you can find on your own), I find it very hard to believe that MtGox was not aware they had been hacked, and yet they've been denying it and operating normally (aside from the newly added withdrawal limit, which they even boast about in the linked press release). In fact, I found one reddit page of many where MtGox users were complaining there accounts had been compromised (There have been many over the past week) and the employee flat out denies that they have ANY reason to suspect they've been compromised:
Here's one such complaint among many: http://www.reddit.com/r/Bitcoin/comments/i17jd/i_just_got_ripped_off_on_mtgox/
And here's one with an employee denial: http://www.reddit.com/r/Bitcoin/comments/i2dkn/mt_gox_has_some_serious_issues/
Here's all that (purported) employees posts: http://www.reddit.com/user/MtGox_Adam
Long story short: For the last week (5 days at least), I've been wondering if MtGox had been truly hacked or if someone was just trying to depress the price of bitcoins by spreading rumors. Today I don't have to wonder anymore. What I do have to wonder about is why has MtGox kept silent for the past week when ALL indications were that they KNEW. They fixed the hole, added the withdrawal limit, and yet kept on denying they had an issue when dozens of users complained of account compromises. Rather than admit the issue and try to have it fixed, they apparently tried to keep it a secret. How can we trust any company that handles security issues in this manner?