Press release by Mt. Gox about hack:
Quote:
CLARIFICATION OF MT. GOX COMPROMISED ACCOUNTS AND MAJOR BITCOIN SELL-OFF
Dear members of the press and Bitcoin community,
I. Background
March, 2011 – MtGox.com (Mt. Gox), now the world’s leading Bitcoin exchange, was purchased by Tibanne Co. Ltd. As part of the purchase agreement, for a period of time, Tibanne Co. Ltd was required to pay the previous owner a percentage of commissions. In order to audit and verify this percentage, the previous owner retained an admin level user account. This account was compromised. So far we have not been able to determine how this account’s credentials were obtained.
II. Bitcoin Sell-Off
On June 20th at approximately 3:00am JST (Japan Time), an unknown person logged in to the compromised admin account, and with the permissions of that account was able to arbitrarily assign himself a large number of Bitcoins, which he subsequently sold on the exchange, driving the price from $17.50 to $0.01 within the span of 30 minutes. With the price low, the thief was able to make a larger withdrawal (approximately 2000 BTC) before our security measures stopped further action.
We would like to note that the Bitcoins sold were not taken from other users’ accounts—they were simply numbers with no wallet backing. For a brief period, the number of Bitcoins in the Mt. Gox exchange vastly outnumbered the Bitcoins in our wallet. Normally, this should be impossible. Unfortunately, the 2000 BTC withdrawn did have real wallet backing and they will be replaced at Mt. Gox’s expense. Again, apart from the compromised admin account, no individual user’s account was manipulated in any way. All BTC and cash balances remain intact.
Given the relatively small amount of damage considering what was potentially possible, we have to question what the true motives of the attacker were. Perhaps the attack simply was not well-orchestrated but the possibility exists that the attacker was more interested in making a statement, hurting Mt. Gox’s reputation, or hurting the public image of Bitcoins in general than he was in any monetary gain.
III. Database Breach
Late last week we discovered a SQL injection vulnerability in the mtgox.com code that we suspect is responsible for allowing an attacker to gain read-only access to the Mt. Gox user database. The information retrieved from that database included plain text email addresses and usernames, unsalted MD5 passwords on accounts that had not logged in since prior to the Mt. Gox ownership transfer, and salted MD5 passwords on those accounts created or logged in to post-ownership transfer. We speculate that the credentials of the compromised admin account responsible for the market crash were obtained from this database. The password would have been hashed but it may not have been strong enough to prevent cracking.
Regrettably, we can confirm that our list of emails, usernames and hashed passwords has been released on the Internet. Our users and the public should know that these hashed passwords can be cracked, and many of our users’ more simple passwords have been cracked. This event highlights the importance of having a strong password, which we will now be enforcing. We strongly encourage all our users to immediately change the passwords of any other accounts that now or previously shared a password with their Mt. Gox account, if they have not done so already.
IV. Present Steps
We have been working tirelessly with other service providers in order to mitigate the potential damage to our users caused by the security breach. We’ve been informing our users to be especially cautious of Bitcoin-related phishing attempts at the email addresses associated with their Mt. Gox accounts. Users should continue to be especially observant of indicators of account compromise with other services—especially email and financial services.
We would like to give a special thanks to the Google team who were extremely proactive about flagging and temporarily locking customer accounts that appeared in our stolen user list. Their quick response no doubt significantly reduced unauthorized account access to Gmail addresses associated with Mt. Gox user accounts.
We’ve been actively researching the origin of the attack that led to the compromise of Mt. Gox’s previous owner’s admin account; however, our priority has been getting the Mt. Gox service back online and getting people access to their funds. We were finally able to simultaneously relaunch the service and launch our new site, with greatly improved security and back end, on June 26th, 2011.
V. Future Steps
The new Mt. Gox site features SHA-512 multi-iteration, triple salted hashing and soon will have an option for users to enable a withdraw password that will be separate from their login passwords. Other security measures such as one-time password keys are planned for release very soon as well.
The recent successful attacks on huge institutions like Sony and Citibank remind us that nobody is impenetrable. We are now operating under the presumption that another security breach will happen at some point in the future and we are implementing layers of fail-safe mechanisms to greatly limit the amount of damage possible. Of course, we’re doing our best to make sure those fail-safe mechanisms are never necessary.
While we are making great strides with the advancement of our security, we should remind our users that they too play an important role in securing their accounts. Please use a long password—the standard is not whether a person could guess it but rather whether a computer could guess it—and computers can guess pretty fast. Please do not share passwords across services—where passwords are shared, a compromise at one service means a compromise at all services. Help us help you.
VI. Apology
The truth is that Mt. Gox was unprepared for Bitcoin’s explosive growth. Our dated system was built as a hobby when Bitcoins were worth pennies a piece. It was not built to be a Fort Knox capable of securely handling millions of dollars in transactions each day.
We can attempt to blame the owner of the compromised account for the recent events but at the end of the day the responsibility to secure the site and protect our users rests with us. The admin account responsible had more permissions than necessary, and our security triggers were not as tight as they could have been.
Since the change of ownership, we have actively been patching holes while at the same time building a new Bitcoin exchange from the ground up. Going forward, we are certain that the launch of the new site will exceed the rightful expectations our users have of the service. We only hope that we can once again earn the trust of the Bitcoin community. In the meantime, we sincerely appreciate the patience all our users have shown.
We’ve got a backlog of emails we’re catching up on now but if you have any questions or comments about the recent security breaches and events, Mt. Gox in general, its founder or Bitcoin, please do not hesitate to contact us. We’re reading every message and we’ll get back to you as soon as we can.
Login
Register
FAQ
Search
