Sunday, June 19, 2011

MTGox DB got leaked. . .

The MTGox Database just got leaked.

There was a huge sell-out of bitcoins this afternoon. (6/19/11)
At first it looked like MTGox, one of the biggest "Bitcoin trading markets" found the hacker and closed the specific, compromised account.

At least, that's what they posted at their official blog:
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.


But, right after that, a post at the Bitcoin.org Board showed some other story:

A .CSV File, containing Usernames, Email addresses and also hashed user passwords.
The DB is over 3MB big and contains over 61.000 names.
I found my testuser, that I created a week ago .

It seems like the hack happened at least 3 days ago.
I found a hash from the accounts file in the Hashkiller DB OpenCrack list from 17.06.2011
http://opencrack.hashkiller.com/20110617-04.html

16. June 2011, he asked to crack hashes from this hack at the Insidepro board
http://forum.insidepro.com/viewtopic.php?p=65015#65015
http://forum.insidepro.com/viewtopic.php?p=65092#65092


Post to DB Dump:
http://forum.bitcoin.org/index.php?topic=19405.0 (Topic got deleted...)




Sad to see, that a page that makes thousands of dollars a week got hacked that fast.






New Statement:

UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS

We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible.


Update:

....as a way of saying we sincerely sorry for the breach of security that lead to the sell-off, we will be reducing trade fees to 0.3% (from 0.65%) for two weeks following Mt.Gox's reopening.

Users whose trades were effectively cancelled during the the sell-off will be able to trade for free for 1 month following the reopening, and will also receive a free subscription to our upcoming 2-Step SMS security authentication feature for as long as they hold their account.


They implemented "multi-iteration, triple salted" SHA512 password storing and SMS authentication.