
500k Bitcoins traded in 1h, Mt.Gox market hacked + crash - eis
http://bitcoincharts.com/charts/chart.png?width=976&m=mtgoxUSD&k=&r=1&i=&c=0&s=&e=&Prev=&Next=&v=1&cv=0&ps=0&l=0&p=0&t=S&b=&a1=&m1=10&a2=&m2=25&x=0&i1=&i2=&i3=&i4=&SubmitButton=Draw&
======
buro9
From the mt.gox site:

    
    
      Huge Bitcoin sell off due to a compromised account - rollback
      
      The bitcoin will be back to around 17.5$/BTC after we rollback all trades that have happened after the huge Bitcoin sale that happened on June 20th near 3:00am (JST).
      
      Service should be back by June 20th 10:00am (JST, 01:00am GMT) with all the trades reversed and accounts available.
      
      One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.
      
      Apart from this no account was compromised, and nothing was lost. Due to the large impact this had on the Bitcoin market, we will rollback every trade which happened since the big sale, and ensure this account is secure before opening access again.
    

I'm interested in the fact that they can do a rollback... is that just a
rollback of their transaction log? Are they buffering transactions for a
significant period before submitting them back to the network?

~~~
iki23
[Update - 2:06 GMT] What we know and what is being done.

* It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.

* Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.

* We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.

* Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.

* When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.

* Once Mt.Gox is back online, trades 218869~222470 will be reverted.

[https://support.mtgox.com/entries/20208066-huge-bitcoin-
sell...](https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-
to-a-compromised-account-rollback)

~~~
norswap
"We have been working with Google to ensure any gmail accounts associated with
Mt.Gox user accounts have been locked and need to be reverified."

Ah, that's why I had to change my password then.

~~~
bermanoid
Yes, I was also worried when I saw the suspicious activity flag had been
tripped on my acct., but apparently that doesn't actually mean that anyone
actually tried anything, just that our e-mails appeared in the list.

Luckily I never reuse passwords for important stuff like e-mail or anything
that touches money...

------
tlrobinson
There's an alleged database dump of Mt Gox floating around...
<https://twitter.com/#!/954/status/82531189705019392>

UPDATE: looks legit.

<http://forum.bitcoin.org/index.php?topic=19543.0>

[https://support.mtgox.com/entries/20208066-huge-bitcoin-
sell...](https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-
to-a-compromised-account-rollback)

~~~
soult
I can confirm that the alleged dump is the real deal.

Some passwords are md5 hashes, some are salted md5 hashes (utilizing the
crypt[0] function). I did not log in for a long time and my password was still
unsalted, so I assume that converting to salted passwords was done either
automatically on login or on password changes.

0: [http://www.kernel.org/doc/man-
pages/online/pages/man3/crypt....](http://www.kernel.org/doc/man-
pages/online/pages/man3/crypt.3.html)

~~~
bradleyland
I hate to look down my nose at other programmers, because I understand that we
all start somewhere, but if you are building a _financial exchange_ and you
encrypted passwords using unsalted MD5 at any point in the history of your
product, you have proven to me that you are learning as you go, and there is
no way in hell I'd trust you with any significant sum of money.

~~~
Hawramani
Where do programmers learn about this stuff? Is it taught at schools? Can
anyone recommend good books on proper security procedures?

~~~
michaelf
A great place to start is "Applied Cryptography" by Bruce Schneier.

<http://www.schneier.com/book-applied.html>

Edit: Note, this really barely scratches the surface for building secure
software. AC says how to apply cryptographic primitives correctly. It won't
teach you how to avoid vulnerabilities specific to particular application
domains (like CSS, SQL injection, etc...).

~~~
marshray
That book is old, and though still basically correct, there's much better ways
to learn about the practice of developing secure systems. I recommend
"Cryptography Engineering" by Ferguson, Schneier, Kohno which is a more modern
descendant of Schneier's AC.

~~~
michaelf
Looks like I need to update my bookshelf. Thanks for the recommendation.

------
eis
A little bit explanation:

Mt.Gox is the biggest bitcoin market place by far. During the last 1h the
whole volume of about 500k BTC was traded making the price drop from somewhere
around $17 to virtually nothing.

Details are not available yet. It could have been a bug or an intrudor.

Rumors have it that someone with a huge wallet got hacked.

<+MagicalTux> someone with lots of coins did get hacked

MagicalTux is working on Mt.Gox

Also some other markets like btcex or tradehill are seeing problems and/or
price drops.

Update: Mt.Gox have published an announcement:

[https://support.mtgox.com/entries/20208066-huge-bitcoin-
sell...](https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-
to-a-compromised-account-rollback)

~~~
weavejester
I'm surprised that people with large amounts of bitcoin don't have better
security measures. For that amount of money, I'd consider securing the private
key in a safety deposit box. Probably several safety deposit boxes, actually.

~~~
tlrobinson
They apparently had 500k BTC in their MtGox account, which is insane. Unless
they were actively trading all of that they should have withdrawn from MtGox
to the BitCoin network.

~~~
joeyh
If they were Satoshi, they could be sitting on enough early-adopter bitcoins
that 500k is relatively not insane.

------
trotsky
This was apparently on HN 14 hours ago:

 _Mtgox hacked database listed for sale (pastebin.com)_

<http://news.ycombinator.com/item?id=2670302>

pointed to: <http://pastebin.com/ui0nusuZ>

which says:

    
    
      I have hacked into mtgox database. Got a huge number of logins password combos.
      Mtgox has fixed the problem now. Too late, cause I've already got the data.
    
      Will sell the database for the right price.
      Send your offers to：
      gfc06@hotmail.com

~~~
Tichy
Was he accepting BitCoins?

------
skrebbel
i must admit i'm somewhat impressed how _fast_ the hackers and cheaters
managed to take over bitcoin trading.

i think it's kind of cute. people hoped for an economy no government could
control, and got exactly that: anarchy and a burning world.

~~~
gst
Where is anarchy? What's burning?

Someone sold a huge amount of Bitcoins. The market acted accordingly. Expect a
bounce back to the old exchange rate as soon as Mt. Gox is available again.

Of course it might be possible that the computer of the person who sold the
Bitcoin was cracked. But that's not the fault of Bitcoin - if someone is not
capable of taking care of the security of his local computer, it's better not
to use a distributed currency where your money is basically stored inside a
single file.

~~~
bxc
> Someone sold a huge amount of Bitcoins. The market acted accordingly.

It doesn't seem very free market to rollback the market and cancel all the
free market trades that happened.

~~~
sqrt17
No, but that's also what would happen when the stock market behaves weirdly
enough. It's a good thing, though, that stock markets and foreign exchanges
have more trading volume; I'm starting to wonder what happens if a random
blokes with a million actual USD wants to game the bitcoin like George Soros
did it with the Swedish kroner.

~~~
stef25
Sorry for being off topic but do you have a link that explains how Soros games
the kroner? Just out of genuine interest.

~~~
sqrt17
Actually the bigger event around it was the Black Friday in 1992: The Bank of
England was hoping/pretending that the pound would stay strong against the FRG
Mark, whereas Soros lent a massive amount of pound to other people. When the
pound finally devalued, he could fulfill the lendings (at the cheaper pound
price). The Swedish currency took similar damage.

Basically, governments trying to stabilize their currency are in danger of
losses whenever they meet someone with even deeper pockets. In contrast, the
Japanese government could out-trade Soros in the crash in 1987 and Soros had
to pocket substantial losses.

<http://en.wikipedia.org/wiki/Black_Wednesday>
<http://en.wikipedia.org/wiki/Monetary_policy_of_Sweden#1992>

------
phamilton
I'm a little annoyed that MtGox effectively is bitcoin. I've been spending my
mined coins on goods from various merchants and it has been working great.
That's what bitcoin is designed to be, a currency. Recently there's so much
speculation and people buying, holding and selling that so much focus has
shifted away from the real use.

~~~
caf
Mining was never supposed to be the primary means to obtain bitcoins. As long
as people are still being paid salaries in other currencies, they'll need to
use an exchange to buy bitcoins if you want them to participate. On the other
side of the (bit)coin, do you suppose those merchants you're buying from can
pay all of their suppliers in bitcoins? So they need the service of an
exchange, too.

------
nazgulnarsil
This is an "I told you so" post, but not about bitcoin, about the current
exchanges.

I haven't cashed out any bitcoins because the current exchanges are a fucking
joke and I've said as much many times in the IRC channel and forums. Bitcoins
will remain a novelty for people with lots of disposable income until it has a
real money changing service linking it to other exchanges. I can not conceive
of the level of folly it would take for me to put anything more than pocket
money on one of the current exchanges.

------
eis
Newest update:

Apparently someone got the whole user account database of Mt.Gox

I wont publish the link to it though for obvious reasons.

Quick analysis: the database is legit, it contains user id, username, email if
set, and a bcrypt hash. The hashes seem salted with a global salt.

~~~
kabushikigaisha
I don't think the db is public, it's being sold for a price.

~~~
personalcompute
It's public. I have the db loaded in mysql right now, and have confirmed its
validity (my account is in there).

------
nkohari
The entire account database was also leaked:

<http://forum.bitcoin.org/index.php?topic=19543.0>

~~~
sudonim
So it was... I confirmed my username is in there but at least passwords are
hashed. Luckily, I never added an email address and used a different Username
and pw than I do everywhere else. Gotta take precautions with bitcoin!

~~~
Tichy
Doesn't look as if passwords were salted, though :-( (Edit: just read in
another comment that there seems to have been a global salt)

~~~
olex
They were hashed using the standard php crypt() method, it generates a salt
for every password encrypted. I'm in that database and was able to generate
the exact hash. Luckily I use one-time passwords with such things...

~~~
SeanLuke
Wait. The effective exchange for bitcoins worldwide is using PHP internally?
People are actually trusting this with thousands of dollars in cash?

~~~
fredoliveira
I'm not even much of a PHP fan, but it seems like you're unaware of what
_most_ people use. Including financial institutions.

------
lubos
If this was legitimate "dump" (by someone who obviously didn't care about the
money), it was certainly the fastest crash of any known market ever.

------
crayz
That's about 7% of the total number of bitcoins in circulation. Anyone have
details on how this happened?

<http://blockexplorer.com/q/totalbc>

~~~
enki
according to the guy running the exchange: user with 500k bitcoins was hacked
(probably password bruteforce or csrf).

they'll probably reverse all transactions since then

~~~
andypants
Who is 'they'?

As far as I understood bitcoin, there is no authority. Nobody can do anything
about a user having 500k of his coins hacked, and nobody can do anything about
the market crash either.

~~~
jaekwon
as far as i know you're right. there is no infrastructure for rollbacks of any
kind.

~~~
olex
MtGox != Bitcoin. Transactions on bitcoin network cannot be undone, that is
true; however, MtGox will undo the transactions inside their system (buys and
sells within MtGox). The only thing that cannot be undone is the withdrawal of
80 stolen BTC from a MtGox account into Bitcoin network.

------
Tichy
Does anybody have a link to instructions for reading that kind of chart (or
the name of the chart type)? I used to know, but it has been many years.

I suppose green bars means the price went up and red down, and the bar extends
between the high and low price. But what does the chunk in the middle mean?
And where can I see that 500k were traded?

~~~
Macha
EDIT: The below is wrong, see here:
<http://en.wikipedia.org/wiki/Candlestick_chart>

The chunk in the middle is the price for the majority of trades, and the
lighter bar is all trades, if I remember right.

~~~
yesimahuman
The small bar indicates the range of prices during the time frame (for
example, each bar could represent 15 minutes of trading on a 15 minute chart).
The big bar shows the closing and opening prices for that time range. If the
closing price is below the opening price the bar is red, and vice versa.

The red bar that shoots up from the bottom is the trading volume, and usually
isn't covering up the bars so it looks strange. It just says a ton of BTC was
sold in that time frame.

------
Tichy
I like the looks of this chart of the crash, haven't seen that kind before:
<http://leanback.eu/bitcoin/plots/20110619195756-mtgox.png> (found via
@zedshaw on Twitter)

~~~
Macha
And Zed found it from me on Twitter, and I found it on this thread:
<http://news.ycombinator.com/item?id=2671576> (Just setting the record
straight as Zed attributed it to me)

------
gburt
Lower limit of $0 a bitcoin showing there, did someone really dump bitcoins at
$0.01?

~~~
eli
$0.01 is still a profit if you stole the coins.

------
citricsquid
So for someone who doesn't understand economics that much, what does this
mean? Have bitcoins finally failed?

~~~
rmc
Not as such. As an example, Steve Jobs ownes 7% the shared of Disney. If
tomorrow, he were to sell them all, no matter what the price, there might not
be enough people to buy them all, so people who, for the laugh, said they'd
buy Disney stock at $0.01 a share would eventually get the shares. Thus the
stock price for Disney would drop to $0.01. A similar thing just happened to
BitCoin, but rather than shares of Disney being traded, it was bitcoins.

~~~
chamakits
This is the best explanation so far. Thanks!

------
omarchowdhury
<CorvusCorax> poor bot had a division by zero when trying to calculate the mt
gox exchange rate

------
base
Out of curiosity, how does the Mt.Gox hold the bitcoins. Do they have a
bitcoin account for every user or do they hold all the bitcoins in their
account and trades are only changes in their database?

~~~
wmf
The latter; in the block chain you can see a single address that holds over
400K BTC.

------
pnathan
I'm on record here as saying a few weeks ago that a BTC bank needs to be
established.

I reiterate my position. A BTC bank needs to be established, with appropriate
data protection features.

~~~
Astrohacker
Sounds like a startup opportunity.

~~~
pnathan
Absolutely. I wish I had enough time and security knowledge to do it.

A BTC bank will have to have some no-kidding competent security around it.

------
spenvo
The flash sale broke the price resistance chart: <http://mtgoxlive.com/orders>

------
ebaysucks
If the 500K Bitcoins sold are the total of the Bitcoins in all MtGox wallets,
than Bitcoin is over.

Sample of one: I have for about 100 USD in Bitcoins at MtGox, if they got
stolen today, I will leave the project.

~~~
andypants
I think the bitcoins belonged to a guy who had his wallet of 500k stolen some
time around last week.

~~~
romland
You're probably thinking of the guy who claimed he lost 25k bit coins (which
at that moment was "worth" 500k USD). This was a trade of 500,000 bit coins.

~~~
andypants
Ahh yes, you're correct, I got confused.

------
Tichy
Interesting that on bitmarket.eu there are a lot of buy offers for 0.01€
suddenly. I wonder if those are already bots trying to automatically react to
the mtgox price.

~~~
joezydeco
More likely, people trying to make bank when (not if) it happens again.

~~~
Tichy
Ah, true, taking advantage of market glitches. I should add some positions for
that, too :-)

~~~
joezydeco
The real question is if mtgox can actually reverse trades like they claim
they're going to do as a result of this situation.

In a regulated exchange it's certainly possible. Is it possible with bitcoin?
Once the block is away...it's away.

------
KarlFreeman
If you want to check if you've been Mt.Goxed I whipped up a little something
for that

<http://mtgoxed.herokuapp.com/>

------
mrkva
If you feel like complaining, check Complainr: <http://complainr.syx.sk/>

Some people already started :)

------
Osiris
mtgox.com is offline. Did they shut trading down?

~~~
tijs
the site has been on and off for the past week or so. not intentional perse
just busy servers as far as i can tell.

~~~
swishercutter
I was in the bitcoin forums and mt gox as this happened...they shut down
afterwards.

------
funkah
I wanted to see if I could buy some on the cheap, but I wasn't already set up
to do so. I would never take this currency seriously, but I'd be willing to
put in a bit of money to speculate a bit.

I looked at bitmarket.eu but they have a manual verification process, which
I'm sure would not complete until after the price recovers. Oh well.

------
anonymous
haha

------
aquarin
We shouldn't be surprised by this. This monetary have no authority behind it.

~~~
aquarin
What is the point of down votes without explanation?

~~~
vessenes
You're being downvoted because you neither understand the Bitcoin system nor
the mechanics of how Mt. Gox works, as evidenced by your post.

~~~
aquarin
Sure, i don't understand it, neither the people who brought bitcoins.

~~~
weavejester
And you're basing this statement on what evidence?

