This Sunday 19th of June, more than 500,000 bitcoins were suddenly sold on MtGox, driving the price beneath 0.01$/BTC.
According to an official source from MtGox, an account was compromised and the cracker sold all the bitcoins on that account.
MtGox shut down and announced that all transactions will be reverted.
At the same time, a list of accounts was published on the internet, with the account name, the email linked to that account, and a hash of the password. That list was published as being the list of every MtGox account and looks legit, several MtGox users having confirmed being on this list. Having access to the list of password hashes could potentially allow a cracker to find the weakest passwords.
It is now recommended to trade on other exchanges, like TradeHill or Bitmarket.eu. (We covered TradeHill launch in a previous article). Remember though, that you are able to control your own bitcoins! It is recommended that anyone with a significant amount of coins not keep them in an exchange, no matter which one!
The list of every MtGox user account with their email and the hash of the password
This raises a lot of concern regarding the security of MtGox and about the attack in general.
- Why does it look like MtGox has so many security flaws? Amateurism? (we covered some previous vulnerabilities )
- Why was the cracker so stupid? He could have silently stolen the coin and sold them later. At first, it looks stupid.
- How much coin were really stolen? MtGox was told that the hacker was only able to withdraw 1000$ worth of coin. But by driving the price as low as 0.1$, it could be as much as 10,000BTC. Maybe the cracker was not so stupid.
- Why was this happening during a PR stunt from TradeHill on the forum? Not a very good timing. Also, doesn’t look very ethical to take advantage of such a situation so quickly.
- Are alternatives such as TradeHill more secure than MtGox?
- Is the bitcoin market so fragile that only one big sell order could crash it completely? Will the confidence remain or is it the big crunch?
- Why should MtGox be allowed to revert trades? What are the rules regarding that? What if someone claim to have been compromised after some bad moves?
- Now that there is sufficient interest, will the bitcoin world become more resistant to the increasing number of attacks?
Lot of questions are in the air but, hopefully, it will make bitcoin stronger than ever.
As for how this happened, Mark Karpelès, the owner of Mt. Gox, is adamant that there was no SQL injection attack – which according to many sounds implausible, as it was reported to Mr. Karpelès earlier this week that the password field of the login screen was vulnerable to SQL injection, according to a user on the popular IRC channel #bitcoin-dev.
UPDATE: This was NOT an SQL injection attack, merely a compromised development computer.
Obviously, this is still developing and it is unlikely we will see the whole story for many days, but a ‘best guess’ would be that an attacker exploited a vulnerability to gain access to the Mt. Gox database of usernames and passwords. After decrypting some of the easier passwords, it is likely that they found an account with the 500,000 coins, and used other accounts to buy coins at low prices. From there, the 1000 USD per day withdrawal limit is trivial, as many accounts are now loaded with BTC and since the price was depressed, could withdraw a large amount of coins.
There is some good news though – although email addresses were leaked, along with passwords that potentially match their email addresses, Mike Hearn, a google fraud agent, is busy locking those accounts and forcing a password change. This prevents the attackers from also gaining access to the users’ email accounts, which could compromise many other accounts.
This is breaking news, and expect updates as information is revealed.
UPDATE: Don’t Panic!