Topic: MtGox account compromised (Read 110455 times)

mea culpa.

HIS POST IS FROM JUNE 10.

you fail.

How can you log into your MtGox account? I thought is is still closed?

History books?  Hell, I feel like I've been living inside a Bruce Sterling sci-fi novel for the last month.

Today topped them all, as an especially Islands-In-The-Net kind of day.  Damn those data pirates!

/wants razorgirl bodyguard

So true.

Same here, getting some really fucked up spam now.

well... my mtgox password was ªç!¼:Üý\†€BZ*Š”TbŠòê  unique for this site, moreover I never sent them a single penny, bit or fiat.

Learn from the pros, kids.

I am still pissed off by finding my email in that damn list.

This mtgox biz and many other things which we are witnessing with bitcoin will be in history books.

Now, we know that 1765 of the MtGox password hashes leaked today were not salted. :-(

The same thing happened to me too. I login my account today and found I lost 42.9$ in my account, and I have no idea about the latest two trade in my trade history. I mean even my account is week, the hacker shouldn't know my username. Someone in the office must be leaking user's information.

Tracing bitcoins is basically the same as tracing cash:  if you catch the original person spending the cash directly you have them, otherwise the bills will just show up at banks after having been passed through multiple organisations with no way to track them.  A smart enough criminal can keep from getting caught after a cash heist, and similarly a smart enough criminal can keep from getting caught after a bitcoin heist.  Fortunately, many criminals are stupid and get caught anyways through some small slip-up.  Gaining expertise in the entire system and how to catch those tiny slipups will give law enforcement the same edge with regards to bitcoin that they have with cash.  Some criminals will get away, and some will get caught; expertise on the part of law enforcement will increase the proportion caught.

Though, realize if "bitcoincop" is a real "cop" then he may be thinking that is easy. Once you find one of those users, you question him, and when he tells you that he uses mybitcoin, then you go to mybitcoin and try to get them to release their records, afterall, they should be able to make the connection with the account that they were deposited into.

That said, if mybitcoin can be convinced (or compelled) to help, then this should be a trivial step. Of course, since you can access them as a location hidden service, and they require no real information to sign up, it could easily be a dead end too.... and that is before we even consider other possibilities.... like coin tumbler (or similar). Unless the thief was the only person using it at the time, and not particularly clever about it, simply going from one service like mybitcoin or mtgox to another, through coin tumbler with multiple addresses well... I hope you get the picture.

hell, I recall even seeing someone on Silk Road who was offering pre-laundered bitcoins for sale. They claim to do some sort of escrow, so its not even like that person could cheat and send back the same coins (not that it would be hard to determine, but as a scam, i bet would work most of the time) and wouldn't even know the buyers real name.... though, I guess if you were sure that he did it, again, its no better or worst than mybitcoin in terms of, you could at least ask him to help you pick the trail back up. (assuming that he keeps records)

Though, how you convince an anonymous people, running services intended to gaurd your anonymity, to voluntarily cooperate in compromising someones anonymity, even in an indeterminate way like this, is an open question. I guess its possible that accusations of thievery may sway them to help, but, they may want you to prove it before they are willing to help.

Afterall, its not like you can pull them into an interrogation room and get out the rubber hoses. That is, unless you can compromise their identities first.

It's nearly impossible to mark certain Bitcoins as stolen or dirty because they can be so easily laundered.  For example, send the stolen coins to an account at MyBitcoin.com, withdraw the coins to a new Bitcoin address.  The withdrawn coins are completely clean and other MyBitcoin.com users end up with the "dirty" coins.

So this all makes me wonder if there is a way to create a central database about fraudulent transactions, and associated addresses. Someone would make an entry into such a database and provide contact information or other community based details, perhaps sign them with a key that they use as a part of transactions on bitcoin-otc/IRC.  Then, when someone else who cares and receives a payment with these bitcoins from someone else, they can contact the original person to get details and perhaps deny the sender the goods/services they're trying to purchase with the stolen bitcoins.

Yes, it would take an outside database, and yes it would take a strong community with reputation and social trust, but it could be helpful.

One example of such a database for Laptops/computers is: http://www.stolencomputers.org/home.html. 

Access to a database for bitcoins would come as a plugin or add on for a user to install on their bitcoin server.

Ah, but all of the password I generate are stored on my encrypted drive, and the drive password is, well, longer than my screen. That one I remember completely.

I started using mnemonics for passwords years ago. Take some phrase from a song, movie, or anything you like.... then make a string out of it. Something like "I started using mnemonics years ago"

Can become a string like:
I
Reduces the time it takes before I can type them from memory, and makes it much easier to recall them later, sometimes even years later.

This thread was quite an interesting read. One thing that seems to have become unnoticed is Liberty Reserve's part in the stolen Bitcoins. I think that in the case of large transactions like the ones that happened in this thread there really needs to be an obligation to check whether the Bitcoins are stolen or not. MtGox took the right approach to trace how the funds were stolen and where they went. In fact I think that if Liberty Reserve was not so quick to trade the Bitcoins into cash then there would have been a larger chance to catch the thief with the Bitcoins.

I think in the end all avenues need to be checked and not simply the ones that deal with password security or server security. Simply sweeping this problem under the rug isn't going to solve anything and when problems like these do happen they need to be documented in their fullest. This is the second time I've read a thread where a lot of money was stolen and I can only imagine this problem escalating as Bitcoin becomes more known to the general people and especially to those that do not take security seriously.

I prefer pwgen -s 60 (less to type)

I generate passwords with:

Well kinda. Firstly, stringing words together isn't the most common of things people do. Shit, even I use one word dictionary passwords in some places. Common is a dictironary word, word with numbers at the end, more likely than not all lower case.... some words are more common than others... in any case, there are optimizations that reduce effective keyspace.

Also, hashes can have collisions. Technically, you don't need to guess THE password, just something that hashes to the same value (unlikely but, no way to rule out collisions). Then there is the number of accounts. Maybe instead of scanning one account for all possible good passwords, you just try lots of different accounts in the set of bad ones?

Remember, even the HBGary hacks, a security company, BOTH founder and CEO had 6 char, all lower case passwords with numbers at the end (or so the claim goes).

All that said, I am skeptical of dictionary attacks. More likely attacks, to my mind? Well, again back tot he HBGary hack... same password on multiple accounts anyone? I almost garauntee that you go to ANY forum on the net, including this one, post a link to a site you own, with some reason to register, and you will get a list of usernames and passwords that are probably valid on other sites.

Do it here, and the chances they work on mtgox.... well.... you get the picture.

Generally a dictionary attack would be done with a pregenerated list of common passwords sorted by frequency of use.