Bitcointalk Mobile Browser presented by IRLBTC™

Quote

[Update - 2:06 GMT] What we know and what is being done.

It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.
We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.
Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.
When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.
Once Mt.Gox is back online, trades 218869~222470 will be reverted.

We will continue to update as we find new information.

Source: https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

I guess that makes me feel somewhat better...

lol it will be fun trying to verify my IP seeing as my VPN gives me a new one everytime I connect to the net..hope its not this hard...

Stop hiring the worst security auditors in the world.

Quote from: Astro on June 20, 2011, 02:22:39 AM

Stop hiring the worst security auditors in the world.

They just said it was a "financial auditor".

WTF? IKR?

100-200 BTC + ~1000 USD stolen. Doesn't seem too bad...

Quote

It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised.

Someone needs to audits the one who audits... Roll Eyes

If the auditor was attacked by a hacker, how was it that the hacker knew that the auditor's machine was even bitcoin-related? Something here doesn't pass the sniff test.

This screams 'inside job'.

For me it was Kevin Mitnick disguised as janitor...

Yeah, right. The only crackable stuff they got were some idle accounts yet they managed to drive the price to 0.01$ and steal a bucketload of BTC.

And... you used unsalted md5? Really? Oh but that was two months ago so it's ok? Undecided

Fuck me.

Quote from: dust on June 20, 2011, 02:30:08 AM

100-200 BTC + ~1000 USD stolen. Doesn't seem too bad...

I don't believe this, unfortunately Sad

Quote from: dust on June 20, 2011, 02:30:08 AM

100-200 BTC + ~1000 USD stolen. Doesn't seem too bad...

So.... could they, or someone, explain about the 200,000 -400,000 Bitcoins that was sold off, and drove the price down to 1 cent???

I think he mentioned that

is there a way to find out your trade number ? maybe from trade notification email or something ?

Quote

Once Mt.Gox is back online, trades 218869~222470 will be reverted.

The excuse given was to blame the auditor. And for privacy reasons, they won't name the auditor.

This doesn't make any sense at all. What use is an audit performed by unnamed entities? It's the credentials of the auditor which give credence to the audit they perform, is it not?

Quote from: Epinnoia on June 20, 2011, 03:06:22 AM

What use is it for an auditor to have password hashes?

Quote from: DonnyCMU on June 20, 2011, 02:49:59 AM

Quote from: dust on June 20, 2011, 02:30:08 AM

100-200 BTC + ~1000 USD stolen. Doesn't seem too bad...

So.... could they, or someone, explain about the 200,000 -400,000 Bitcoins that was sold off, and drove the price down to 1 cent???

As far as I have gathered those transactions were internal to Mt. Gox and were never paid out. They weren't actual bitcoin transactions.

May not have been an SQL injection, but it was sure as hell a Hot Beef Injection!!!

Quote from: haydent on June 20, 2011, 02:53:37 AM

is there a way to find out your trade number ? maybe from trade notification email or something ?

Quote

Once Mt.Gox is back online, trades 218869~222470 will be reverted.

yes THIS ^^^

is there a database of trades and numbers?

Quote from: bitcoinminer on June 20, 2011, 03:20:58 AM

May not have been an SQL injection, but it was sure as hell a Hot Beef Injection!!!

zing

Page 1

Viewing Page: 1