Topic: Bitcoinica MtGox account compromised - page 7. (Read 155955 times)

The username and password are public knowledge. I tried it for fun. I didn't see any records.

EDIT: I resigned from the company and they still charge my credit cards. And they haven't deleted my email access (and I can't delete myself).  They haven't even responded to the resignation.

I don't understand why the LastPass account wasn't nuked as soon as it became known it was compromised.  All of the passwords it contained should have been changed anyway and the new passwords stored somewhere totally unrelated to the LastPass account.

A clue?

All of them ?

How many Bitcoiners are now trying to log into the LastPass account using the API key?

 

you resigned from the company yet continue to access company accounts?

My understanding is that the API key was also the password to the LastPass account - which contained the password for the MtGox account, among other things.

It's possible sensitive information other than passwords was stored in the LastPass account, too.

No. The Mt. Gox account is stored in the LastPass. It's a different password.

Was the 12 July password change done by one of the principals after the hack or by the hacker?  (The 0.0.0.0 IP would make sense if the LastPass account owners got LastPass to revert a password which had been changed without authorisation).  

Honestly, at this point the only smart thing to assume is that the credentials for absolutely everything have been compromised and to lock everything down.

Was LastPass Premium being used, or the free version?

 

Nay, if you got any common sense, you talk to your lawyers, period.

From my understanding, it doesn't matter if the hacker didn't log into a LastPass account. That's because API key is the same password for a MtGox account.

It should be. I can't answer with definite answers because I didn't change it.

It's concerning because an email account with admin rights of the entire Google Apps domain and also the domain name itself is stored in LastPass. The hacker can easily remove any critical email notifications by changing the settings of the mailing list [email protected].

I may have my facts wrong on some of this, so (those who actually know) please feel free to correct me?

1. Why did the hacker make a cash withdrawal? This supposedly gives Mt. Gox the account details of where the money was sent? If he/she were smart, they'd surely try to buy up as much bitcoin as possible then transfer the lot out of Mt. Gox and into an outside bitcoin address? Surely its worth maintaining anonimity and reducing the risk of being caught for the sake of not being able to take the whole $40k?

2. Keyrings like LastPass are great for fools who refuse to take responsibility for their own data/account security. But for a programmer or system administrator to provide one attack vector (externally sourced, no less!) that gives access to all parts of the system isn't just negligent, its deliberate and wilful.

3. Understanding that the API key was used as a password temporarily by someone who isn't normally involved in such matters, may be forgivable. However, this being brought to the attention of those in charge of technical operations and it not being resolved immediately is laughable.

In relation to 2 and 3; either the person/people responsible are clearly without the faculties to run such an operation, or they do have the technical sense to know that these flaws were critical and were either complicit or wilfully negligent.

Its clear from reading the email transcripts that competition with other exchanges and profitability were driving factors in whatever arrangements were being made regarding ownership. Regardless of this strong incentive not to suspend Bitcoinica's operation, those in charge should have done so as soon as they discovered these open barn doors and worked on shutting them before resuming.

What I find most troubling is that despite (according to the email transcripts) the Intersango / Bitcoin Consultancy trio knowing about these issues before they were exploited and therefore being absolutely culpable, people still seem to trust them enough to be trading on Intersango still?! If they were willing to leave holes unfilled for the sake of profit continuity at Bitcoinica, how can it be concluded that the same isn't true for Intersango?

My honest feeling is that the bitcoin community is blessed with technical talent. Unfortunately many appear to be straying far from their own skill sets and wasting other people's money while they learn new ones.


BB.

What. The. Hell.

When a non-trivial amount of your users have likely been using your service to commit financial offences, then you sure as shit want to be consulting your lawyers when deciding how to proceed after a theft.



Was the 12 July master password change after the hack (hack was announced on 13 July)?

It's concerning that anyone would revert the password.

I just tried the LastPass account. I didn't expect to be able to log in, but I was able to using the original credentials!

And LastPass didn't log the IP that reverted the master password. It's so weird.

If you're a criminal organization, then yes, it would be advisable.

You need to speak to lawyers first when you get stolen from ?