Topic: Hacker got to my MTGOX account, he converted the USD I had...... (Read 13430 times)

Again, to everyone who had his account compromised, please post in http://forum.bitcoin.org/index.php?topic=18050.0 .
As that topic is posted in Newbies (on purpose), anyone should be able to post in it regardless of post count.

Egg on my face 

Mt. Gox Cross-Site Request Forgery vulnerability Fixed:

http://forum.bitcoin.org/index.php?topic=18709.0

I only use GUIMiner - What did you use?



Some other information:

http://www.pcpro.co.uk/news/security/368149/symantec-warns-of-trojan-targeting-bitcoin

http://www.symantec.com/connect/blogs/all-your-bitcoins-are-ours

has anyone suspected the mining programs..anyone audited them yet?

I got hacked 2 days ago but luckily I only had 4 BTC in mtgox at the time.

I used the same password for MtGox, Tradehill, and Deepbit. The password was randomly generated and wrote down on a sticky note next to my PC.

What is even more strange is that I ONLY access these three sites from one of my mining rigs for the specific reason of security. The only programs I have installed is a browser and the basic mining essentials. I believe there is a hacker targeting one of those three sites, there is no way I had a virus.

Hello,

I highly doubt our site has been compromised in any way. Although, we have been DDoS'ed 3 times already since we have been up. We used very strong hashed passwords for all of all users. Not to mention the attacks started weeks before we launched the site.

The moment we learned that a lot of people have been compromised on MTGOX we began working on increasing the security on the site and have reset the passwords of all users.

I don't doubt that Bitcoin has attracted a few talented hackers that are behind the recent attacks on our site, mtgox, bitcoin, and others.

- Avoid all downloads
- Avoid all of the smaller mining pools
- Avoid every other poorly created Bitcoin websites being spammed on the forums

If anyone has any questions feel free to send us a private message.

Maybe you simply tell us the passwords you used, I mean, if you still use that password ANYWHERE, you desire to be hacked.

Sooo any real word from mtgox yet?

Just sharing a PM i got, also with the same theme.



Again, no accusations but it would be interesting to hear from others if this is a common theme going on...

I'd bet that the hacker(s) hacked a lot of btc related sites and stole the username/password combos to try them at more valuable sites like mtgox. No offence to all the site admins but most sites look like total noob stuff from a security point of view. That's simply because web site security isn't as trivial as many may think because of various possible attack vectors (think of session hijacking/fixation/riding, invalid input sanitazion, incorrect output encoding, multiple encodings to bypass filters, buggy php functions which stop at a 0-byte, ....).

Add me to the mtgox hacked list.

I just found out someone hacked in and stole my full balance there of 20 BTC on the 14th(about 1/4 of what I own   )
I'm running Linux behind 2 firewalls, so I highly doubt i was compromised at home.
Though I do a pretty good job of using different passwords, I can think of one thing i signed for lately where I was stupid enough to use the login combo.

I'm NOT pointing any fingers here, but that site was www.btcprizes.com
Can anyone else that has been hacked through MtGox recall if they registered there?

http://latimesblogs.latimes.com/technology/2011/06/lulzsec-publishes-62000-email-and-password-combinations.html

If you look at the stickied thread in Newbies you can see that most people don't seem to reuse both their username and password on Mt. Gox.
I know that at least for me that is not the case.
I don't think Mt. Gox stole it themselves. Besides them indeed getting more gain from running a business, there are a lot more "invisible" ways to make money disappear from accounts if you have access to the system. So that's extremely unlikely.
They are vulnerable to a CSS history sniffing attack because they use GET requests for their forms, to just name a vulnerability I found (which can be thwarted by having a long non-dictionary password, by the way). So no, it's not as robust as you seem to imply.
I believe that that only works per IP, and that you have a practically infinite amount of attempts per account if you do distributed bruteforce (aka, let every bot in your botnet do 5 tries).
It would be a much better to stay relatively low-profile, and not give the impression that Mt. Gox were compromised, if it's indeed unsafe. That way you can slowly keep stealing more and more funds, while other people just attribute it to user error.
I know that at least for me both 2 and 3 are not applicable. I don't reuse passwords, and I've turned my entire system pretty much upside down to see if there was anything suspicious - which there wasn't.

Fair enough, but what about the daily (monthly) withdraw limits being circumvented?

I know what LulzSec is. Again, what is this about a dump of 62,000 passwords?

Lulzsec is a group that have been hacking quite a number of well know networks and systems in the last week or so. They've exposed many security flaws, and gottn hold of many many username password combinations.

A lot of fairly new forum users have supposedly had their MT.Gox account hacked, and had their bitcoin taken, or if USD it's exchanged for bitcoin and taken.

There's nothing wrong with MT.Gox's security, only that a great number of users have been using the same username:password combination as another website that's been hacked.

EDIT

Another possibility is that the user with the hacked system had a password stealing trojan on their system.

The only options for what is happening are:

1)MTGox are themselves stealing users money
2)Users are reusing password/username combinations from other sites that have been hacked
3)Users have a compromised system that has resulted in their username/password being lifted.
4)MTGox has some major security holes

1 is not likely as MTGox make enough money as it is, also why then wouldn't they steal everyonese instead of just a few accounts worth?

4 is more likely but still not probable. MTGox have a simple but robust system that has been strengthened through attacks almost since it's inception.

They use username:password authentication over https, so that's not leaked.

Again because it's over https there is little to no chance of having your session hijacked.

They limit the number of password attempts so accounts cannot be brute forced.

The system itself isn't likely easily hacked, otherwise everyones bitcoin in MTGox would be gone.

Options 2 & 3 are the most likely and most common in these situations.

What is this?

I am not in the dump, nor do I reuse passwords. So *if* the Lulzsec DB is in some way related (which I doubt as that dump was released after accounts started getting broken into) it is at least not the only attack vector.