Huge Bitcoin sell off due to a compromised account - rollback
The bitcoin will be back to around 17.5$/BTC after we rollback all trades that have happened after the huge Bitcoin sale that happened on June 20th near 3:00am (JST).
Service should be back by June 20th 10:00am (JST, 01:00am GMT) with all the trades reversed and accounts available.
One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.
Apart from this no account was compromised, and nothing was lost. Due to the large impact this had on the Bitcoin market, we will rollback every trade which happened since the big sale, and ensure this account is secure before opening access again.
The 1000 USD is relative to the current price I suppose. So if I have access to an account with 500K bitcoins and I sell 400K bitcoins so that the price drops to 0.01 (like it did), and then I transfer the 100K bitcoin left in the account to my bitcoin address(and I can with the driven down exchange price) when the price goes back up I would have made a killing.
If you trust what they're saying, which might be questionable since their business is pretty much going up in flames at the moment, so they are probably desperate to make things appear better than they are...
I hope for their sake that they actually have enough USD and BTC on hand to deal with the mass withdrawals that are coming...
* It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
* Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.
* We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.
* Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.
* When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.
* Once Mt.Gox is back online, trades 218869~222470 will be reverted.
Ah, that's why I had to change my password then.
Luckily I never reuse passwords for important stuff like e-mail or anything that touches money...
Weasel words. If someone has a dump of your database, then your site was hacked.
Goodbye frying pan, hello fire.
Take the flash-crash last year. Yes, if you were a lucky one who bought GE at $3/share then hell yes you wanted that trade to count.
But to have an exchange it takes everybody acting in the interest of the group as well as themselves. The value to that over purely selfish motivations is that it creates a liquid market which benefits everybody involved.
Part of this is the acceptance of situations like this. In cases of attack or software defect, the only real viable option is to rollback. The only people this hurts are the 1% who tried to profiteer on the situation. Not rolling back would harm the other 99%. It's an easy call.
The only real tragedy would be if they cannot rollback accurately. You'd think this wouldn't be possible, but you never know... It seems as tho this site has had a known CSRF bugs for a while. This is not a hard thing to fix. It doesn't shine well upon their competence.
Of course, an exchange can affect the value of the products it is trading. Since Mt. Gox is the biggest bitcoin exchange, if a vulnerability is found then people might stop trading there, decreasing the liquidity and consequently the value of bitcoin. But this doesn't contradict the goal you mention.
As an analogy, if company ACME only trades on Nasdaq and there's a system problem with Nasdaq, some people will be scrambling to get rid of their ACME stocks so ACME's price will go down. That doesn't mean that the exchange controls the price of ACME.
Edit: I realized after posting that I called bitcoin a "currency" above. I realize that it's a controversial position, but my feeling is that, as a medium of exchange, it qualifies a currency.
Well this is trading through an intermediary, you can't really expect it to work that way otherwise something like this would have a lot more incentive for wrongdoers.
If you really want to have no chargebacks you have to go the harder route of one on one trading, with everything that comes along with that.
UPDATE: looks legit.
Some passwords are md5 hashes, some are salted md5 hashes (utilizing the crypt function). I did not log in for a long time and my password was still unsalted, so I assume that converting to salted passwords was done either automatically on login or on password changes.
The original author sold the site in March before things got really serious.
Also the OWASP top ten vulnerabilities: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...
Edit: Note, this really barely scratches the surface for building secure software. AC says how to apply cryptographic primitives correctly. It won't teach you how to avoid vulnerabilities specific to particular application domains (like CSS, SQL injection, etc...).
for those who don't know
Man, these programmers are fucking amateurs. It's a FUCKING TRADING PLATFORM.
It happens everywhere.
Guess what: Even salted hashes won't save your ass with such weak passwords. And yes: it's a FUCKING TRADING PLATFORM you want to put money on so _you_ should think of a secure password.
Mt.Gox is the biggest bitcoin market place by far.
During the last 1h the whole volume of about 500k BTC was traded making the price drop from somewhere around $17 to virtually nothing.
Details are not available yet. It could have been a bug or an intrudor.
Rumors have it that someone with a huge wallet got hacked.
<+MagicalTux> someone with lots of coins did get hacked
MagicalTux is working on Mt.Gox
Also some other markets like btcex or tradehill are seeing problems and/or price drops.
Update: Mt.Gox have published an announcement:
If that is true, then once you have your 500k BTC in the exchange, it will take you over a decade to get them out, either as cash or as bitcoins.
Technically, each layer of security you impose is also an impediment to the bitcoin market's liquidity.
My theory is there are miners with large amounts of BTC and someone decided to sell a lot in a relatively small market. According to the depth-of-market calculator and there is only about 2000BTC in total on the buying side right now. Its easy to swing the market.
Here is another nice graph: http://leanback.eu/bitcoin/plots/20110619195756-mtgox.png
Mtgox hacked database listed for sale (pastebin.com)
pointed to: http://pastebin.com/ui0nusuZ
I have hacked into mtgox database. Got a huge number of logins password combos.
Mtgox has fixed the problem now. Too late, cause I've already got the data.
Will sell the database for the right price.
Send your offers to：
i think it's kind of cute. people hoped for an economy no government could control, and got exactly that: anarchy and a burning world.
Someone sold a huge amount of Bitcoins. The market acted accordingly. Expect a bounce back to the old exchange rate as soon as Mt. Gox is available again.
Of course it might be possible that the computer of the person who sold the Bitcoin was cracked. But that's not the fault of Bitcoin - if someone is not capable of taking care of the security of his local computer, it's better not to use a distributed currency where your money is basically stored inside a single file.
Just like it's not the fault of the dollar if someone mugs you at gunpoint. Except robbing someone typically requires you to take physical risks and (threaten to) use violence. I'll be very curious to see any effective way of tracking down bitcoin thieves.
If you have to be a security expert to own more than a few dollars worth of bitcoins, the project has effectively failed already.
If you don't have the required knowledge just pay a little bit to a "Bitcoin bank" that handles the task for you. In the real world you also don't carry your money with you all the time, but store it on a bank.
- Centralized money is bad! We need to create a perfectly decentralized, distributed economy!
- Oh no! It turns out that the average Joe will get burned really badly by this new decentralized system!
- But wait! What if we created these things called "banks" and provide people peace of mind and security by taking on some of this risk?!
- Um... not profit.
- Anonymity/trackability. Gone if you are with a bank. Sure, possible to sidestep by going through the song-and-dance that is withdraw-send-deposit. We can do this IRL also, but there's a reason people do not.
- Taxability. Welp, if your BTCs are in a bank, the IRS can easily get you.
- Abusive/coercisve government action (e.g., freezing). Well, yeah, if you're with a bank that can happen too.
- Lack of fees. If banks become standard (and if BTC takes off, yes, they will become standard) then kiss goodbye to this benefit - the same way cash right now has no transaction fee, but bank transactions do.
In fact, the only major sell of Bitcoin that remains:
- Inability for government to arbitrarily expand the supply of money.
Still a win, but suddenly Bitcoins have lost a lot of charm, especially for the everyman for whom the above 4 points are much more salient than that last one.
In the real world, the banks are subject to regulation.
It's true that key management and security are not as good as they could be in the official client, but that doesn't mean the project has failed, merely that the client needs to be improved.
Note that no one of the developers expected it to get this big this fast. Six months ago, no one would even bother stealing bitcoins as they were not more than a toy curiousity. Now very serious amounts of money are represented.
I don't think this is the end of bitcoins but surely enough is quite a ouch moment.
Lesson I've learned today: given that bitcoin wants to be a better currency, they have the chance to provide a better service. A good bitcoin marketplace should enforce two way authentications, maybe with yubikey or even just GPG keys.
It doesn't seem very free market to rollback the market and cancel all the free market trades that happened.
Basically, governments trying to stabilize their currency are in danger of losses whenever they meet someone with even deeper pockets. In contrast, the Japanese government could out-trade Soros in the crash in 1987 and Soros had to pocket substantial losses.
Yes, for some time MtGox was The Exchange. It seems that it just ended.
It makes you wonder if Mt. Gox actually had the hard currency to back up everyone's account balance.
"It makes you wonder if The New York Stock Exchange actually had the hard currency to back up everyone's account balance."
That doesn't make any sense either.
Mt. Gox seems to act like both an exchange and a brokerage. Presumably people have an "account" in which they can deposit and withdraw various currencies.
"It makes you wonder if The New York Stock Exchange actually had the hard currency to back up everyone's account balance." That doesn't make any sense either.
I guess you don't have an account with any brokers participating in the NYSE or other exchanges. You can't open an account without writing them a check. Once you've given them money, you can trade NYSE stocks which may gain or lose value. But the dollars you deposit into your account you should be able to get them out again with low risk.
Each currency or security should represent a zero-sum balance sheet for the exchange as a whole. Unless Mt. Gox spent the hard cash for themselves and hoped the market for bitcoins stayed healthy.
Who do they think they are, a Wall Street investment bank?
I agree it doesn't make any sense (but for a different reason).
Are these two things actually alike?
Will the NYSE buy shares from me?
Yes, the NYSE is a building full of member broker dealers who will, in fact, buy shares from you when the proper conditions are met. (I.e., you need to be worth their time).
An account was compromised, and despite there being no government regulation, the exchange stepped in, protected their customer, rolled back the trades and protected the market.
That is anarchy exactly! But no burning world. And it is yet another realworld test that has been successfully met by the bitcoin idea.
I'm not sold on bitcoins viability, due to questions about the larger marketability and having not done an audit of the software. But from an economic perspective, bitcoin is a viable currency, or as close to meeting all the requirements that any non-physical currency can.
You know that's basically the same thing - central entity with overarching authority exerts its will over the market, canceling transactions it's deemed 'fraudulent' between two independent consenting entities. "Free hand of the market" ain't present here, chief - this is regulation.
Please don't conflate the free market with anarchy.
You should read up on the foundations of anarchy before spouting your mouth off, since you are woefully ignorant on the subject. Bakunin, Kropotkin, and Bookchin are all good places to start.
Coercion does not have to be done by a governmental entity. The philosophy of government can wax as poetic as it wants but I know too many people who would happily take advantage of anarchy to employ said coercions. Practically speaking, Human nature being what it is, coercion will be rampant in an anarchic society. I'm quite familiar with the foundations of anarchy. I just occasionally use poor wording :-)
MtGox certainly is not central authority. If you stop being their customer, they will have just to live with that.
That's precisely the theory behind free governments the world over, to wit: "Governments are instituted among Men, deriving their just Powers from the Consent of the Governed". Except we all know in practice there are barriers to withdrawing consent from the government, just as there are surely barriers to leaving a market.
To throw in a bit of conspiracy theory, it may have been the good guys...
P.S. If the latest news are to be trusted it was a cheater. Actually the $1000 he got, is a rather low price to pay for a lesson that... instructive.
It would still be crashable, but more would be needed if it was bigger.
You wouldn't let your business become reliant on a single-supplier part, why would you let it rely on a single-supplier currency?
Regulations are only worth as much as the authority regulating them, if that. Just look at the USA. All the laws required to stop the recent mortgage meltdown were already in place and could still be used, but won't be. What value do those unused regulations have? It's better to have less fake regulations and simply not depend on a non-existent safety net.
I haven't cashed out any bitcoins because the current exchanges are a fucking joke and I've said as much many times in the IRC channel and forums. Bitcoins will remain a novelty for people with lots of disposable income until it has a real money changing service linking it to other exchanges. I can not conceive of the level of folly it would take for me to put anything more than pocket money on one of the current exchanges.
Apparently someone got the whole user account database of Mt.Gox
I wont publish the link to it though for obvious reasons.
Quick analysis: the database is legit, it contains user id, username, email if set, and a bcrypt hash. The hashes seem salted with a global salt.
Edit: Ah OK, the salt is encoded in the String.
In reality, it's all MD5 and the passwords were leaked to a community who are running tons of GPUs to brute force hashes. So it's kind of irrelevant.
Someone should buy sealand and change the national currency to bitcoin...
they'll probably reverse all transactions since then
Presumably they can do this because they're not actually bitcoin transactions, just exchange trades. The bitcoins and USDs entering and leaving Mtgox are not going to roll back.
As far as I understood bitcoin, there is no authority. Nobody can do anything about a user having 500k of his coins hacked, and nobody can do anything about the market crash either.
you can do whatever you want with your bitcoins, but currency exchange is liable to laws and regulations.
How can they? Surely if the blocks have started to get verified by other users then you'd have to fork bitcoin to do it? Wasn't "There are no chargebacks" one of the selling points of BitCoin?
I suppose green bars means the price went up and red down, and the bar extends between the high and low price. But what does the chunk in the middle mean? And where can I see that 500k were traded?
The chunk in the middle is the price for the majority of trades, and the lighter bar is all trades, if I remember right.
The red bar that shoots up from the bottom is the trading volume, and usually isn't covering up the bars so it looks strange. It just says a ton of BTC was sold in that time frame.
Along the bottom of the chart is the volume of trades, i.e. how many shares/coins are being sold or bought (and whether they're being sold or bought).
The chart in the middle is the price and variability of the trades (i think).
Not a stock person or a BTC trader. Just gawking at the spectacle.
BUT on the other hand, you could say Mt. Gox was asking for it with such poor security measures. A day ago, it was a CSRF hack ... and today it's a database dump.
I tell ya, tomorrow, the code for their trading platform will hit the net.
In fact, I wouldn't put it past the operators of the other exchanges to perpetrate something like this.
In reality, no damage to the bitcoin network was done, but Mt.Gox ended up with egg on their face.
Where will all the trades go? To other bitcoin exchanges - and there goes the services charges too. There's a sizable amount of money to be made by taking down Mt. Gox.
I reiterate my position. A BTC bank needs to be established, with appropriate data protection features.
A BTC bank will have to have some no-kidding competent security around it.
NO early adopter leaves his wallet.dat file unprotected on a known compromised computer. Especially one who claims to be an early adopter and saying he got in later in the same post. If you really read that whole thread you will smell a rat or troll also.
Now that's making claims without proof.
As for what happened this morning I believe that the market snapped right back was a good sign...someone dumping .5M BTC at once at the lowest possible amount and it still came back in minutes.
Sample of one: I have for about 100 USD in Bitcoins at MtGox, if they got stolen today, I will leave the project.
Figured worst case scenario I'd lose half in a single day. But hopefully that's not what happened!
In a regulated exchange it's certainly possible. Is it possible with bitcoin? Once the block is away...it's away.
Some people already started :)
I looked at bitmarket.eu but they have a manual verification process, which I'm sure would not complete until after the price recovers. Oh well.
This incident occurred because (a) people with large amounts of bitcoin do not always store them securely, and (b) the bitcoin market is very small, and therefore can be destabilised by relatively small amounts of money (a few million dollars, for instance).
It will take a long time for normal people to understand the implications of the cryptographic backing of bitcoins. Even quite a few people here don't "get it"
There is no authority needed to enforce these natural laws just as there is no authority needed to enforce gravity, it is a force of nature, public key cryptography relies upon mathematics which is also a force of nature. If the math is incorrect the system is insecure, failing that no authority is required to uphold the mathematical dogma of public key cryptography lest faith in the system be compromised. You're working from a set of premises and assumptions that simply do not apply here.
These laws do not require enforcement by an authority;
Read this for a primer on public key cryptography;
The police act as a deterrent, and make it more difficult to offload stolen bitcoins without being caught.
http://news.ycombinator.com/item?id=752262 (shame can't see the vote counts on this one any more)