Pages:
Author

Topic: MtGox account compromised - page 6. (Read 110460 times)

legendary
Activity: 980
Merit: 1020
February 01, 2011, 04:04:00 PM
#78
So, has anyone identified the attacker? I had been checking the IP with no luck.

What we're going to do? Call the police?
legendary
Activity: 980
Merit: 1020
February 01, 2011, 04:02:06 PM
#77

libertyreserve doesn't ever reverse transactions. they're trying to be a 'hard currency'. so you're pretty much SOL there.

Don't forget what paypal did to mtgox and to the bitcoin economy. Hard currency are a better alternative.
hero member
Activity: 482
Merit: 501
February 01, 2011, 03:58:54 PM
#76
Almost everyone had transactions from "united". It does NOT mean that your account was compromised. It does mean that the attacker has your username. It was just them using the merchant API to send you 0 BTC.

There were only two accounts that had money stolen from them as far as I can tell.

It was a dictionary attack since I saw it happening.

I plugged the vulnerability that allowed them to run the attack so your weak passwords will be safe again.

I'm still working out with cryptofo if/how to reimburse him.

Ideally Liberty Reserve would help us since they can easily fix the issue. But they don't seem to be cooperating. Anyone have ideas there?


libertyreserve doesn't ever reverse transactions. they're trying to be a 'hard currency'. so you're pretty much SOL there.
sr. member
Activity: 322
Merit: 250
Do The Evolution
February 01, 2011, 03:55:53 PM
#75
So, has anyone identified the attacker? I had been checking the IP with no luck.
sr. member
Activity: 364
Merit: 252
February 01, 2011, 03:46:40 PM
#74
Sorry for the ones that lost coins.

But weak passwords on a site that has ANYTHING to do with finances?

http://lastpass.com/
http://keepass.info/
http://strongpasswordgenerator.com/
http://www.passwordchart.com/


They all work great, depending on what you need.
member
Activity: 67
Merit: 10
Stop trying to steal my account, thanks.
February 01, 2011, 03:24:41 PM
#73
Almost everyone had transactions from "united". It does NOT mean that your account was compromised. It does mean that the attacker has your username. It was just them using the merchant API to send you 0 BTC.

There were only two accounts that had money stolen from them as far as I can tell.

It was a dictionary attack since I saw it happening.

I plugged the vulnerability that allowed them to run the attack so your weak passwords will be safe again.

I'm still working out with cryptofo if/how to reimburse him.

Ideally Liberty Reserve would help us since they can easily fix the issue. But they don't seem to be cooperating. Anyone have ideas there?


Finally, your answer is much appreciated.
Guess you both share the responsibility for the story, vulnerability+weakpassword= 50:50
full member
Activity: 185
Merit: 102
February 01, 2011, 03:20:55 PM
#72
Almost everyone had transactions from "united". It does NOT mean that your account was compromised. It does mean that the attacker has your username. It was just them using the merchant API to send you 0 BTC.

There were only two accounts that had money stolen from them as far as I can tell.

It was a dictionary attack since I saw it happening.

I plugged the vulnerability that allowed them to run the attack so your weak passwords will be safe again.

I'm still working out with cryptofo if/how to reimburse him.

Ideally Liberty Reserve would help us since they can easily fix the issue. But they don't seem to be cooperating. Anyone have ideas there?
sr. member
Activity: 322
Merit: 250
Do The Evolution
February 01, 2011, 03:13:37 PM
#71
Dunno, maybe you can get a sell on short while you have chance. Tongue

As of the 24th incident it could show that there was indeed a compromise or MtGox checking something.
hero member
Activity: 489
Merit: 505
February 01, 2011, 03:07:38 PM
#70
So until now we have 1 confirmed compromised account (cryptofo) and several other reporting some strange transaction 4 days earlier.

IMHO that transaction has nothing to do with the attack at all. Could cryptofo please check the strength of the used password?

Just trying to keep panic down and get the matter resolved Cheesy
sr. member
Activity: 322
Merit: 250
Do The Evolution
February 01, 2011, 03:06:09 PM
#69
I have a 7 random(Generated) + a salt of at least 5 chars and I still see an odd transaction. The good thing is that I didn't had any funds at that time. So, anything official about what happened yet?
legendary
Activity: 980
Merit: 1020
February 01, 2011, 03:04:48 PM
#68
I'm only referring to the Jan 24th incident personally. Sorry for the confusion. And yes, I always use HTTPS as you are redirected automatically.

They are merely fishing for names.
sr. member
Activity: 364
Merit: 252
February 01, 2011, 03:00:27 PM
#67
I'm only referring to the Jan 24th incident personally. Sorry for the confusion. And yes, I always use HTTPS as you are redirected automatically.
legendary
Activity: 1615
Merit: 1000
February 01, 2011, 02:56:16 PM
#66
Whoa, whoa, whoa. Are we sure those odd "united" transactions on the 24th have anything to do with the unauthorized access? I have that too, as pretty much everyone seems to, but haven't lost any BTC or USD. Cryptofo, on the other hand, did have funds stolen, and that happened on the 28th, 4 days later. Everyone who's saying their accounts were compromised, did you lose something or are you referring to the odd transaction on the 24th. I'd like to hear what mtgox has to say on the events on the 24th before concluding those are related to any kind of foul play at all. For all we know it was some kind of cleanup operation related to the rounding errors reported before. I know I had a negative balance on mtgox at some point due to those.
member
Activity: 67
Merit: 10
Stop trying to steal my account, thanks.
February 01, 2011, 02:55:06 PM
#65
My account is one that was compromised. My password is randomly generated and strength is 100% according to that site.

My password is above and beyond safer than necessary. A dictionary attack is very unlikely.
Next best guess: sniffing traffic. Are you using the HTTP or the HTTPS URL to log in?

You are automatically redirected to https, just checked.
newbie
Activity: 28
Merit: 0
February 01, 2011, 02:54:09 PM
#64
Thank you vladimer for your support and kind words from all.  These are the emails to mtgox.

Jeb,
I've contacted Liberty Reserve abuse and recieved their standard shpeal.  I'm really
upset, I've been collecting these bitcoins for over a year.  I think this is unfortunate
because MTGOX is one of the primary sources for liquidity and market price, but this type
of insecurity is a vulnerability to the bitcoin community.  This was not caused by
complete neglegence on my part.  My computer was not compromised.  My username and
password are specific to this site.  This is a specific attack that was directed at
mtgox.  My password may have been weak ( 8 characters, numbers and letters), but it was a
vulnerability on your end that allowed someone to use a dictionary attack.  It is
important to know that mtgox is willing to make their best efforts to reconcile a
compromise of this nature.  If there is anyway you can replace some if not all of the
900+ bitcoins that were stolen from me, I think it would stand as a gesture of support
from mtgox and instill some faith in mtgox from the bitcoin community.


Quoting Jed McCaleb <[email protected]>:

[Hide Quoted Text]
I'm not sure how they got your username. From the bitcoin forum maybe?
Are you going to make a statement on the bitcoin forum with some  information?
I'm not sure what I would say there. I made the attack impossible now and I don't think anyone else's account was compromised.
Are you going to contact Liberty Reserve?
I can but you should also. The more people complaining about that account the better.



On Mon, Jan 31, 2011 at 6:19 PM,   wrote:
I understand this is somewhat out of your control and I should not have had
a password that started with a, but how did they know my username?  Are you
going to make a statement on the bitcoin forum with some information?  Are
you going to contact Liberty Reserve?

Quoting Jed McCaleb <[email protected]>:
I checked that IP and that was from the person running the attack. So
he must have guessed your password. I'm sorry...
How do you know someone was running a dictionary attack?
I saw the repeated login attempts. But I changed the login page so
they can't do it now.

Liberty Reserve has a contact form on their site.



On Mon, Jan 31, 2011 at 5:14 PM,   wrote:

How do you know someone was running a dictionary attack?  On your end?
 Do
you know how I can get in touch with liberty reserve?

Quoting Jed McCaleb <[email protected]>:
This will tell you:
http://www.ip2location.com/demo.aspx

Well someone was running a dictionary attack so if your password was
simple he may have gotten it.
You could try writing Liberty Reserve and see if they can help since
they have the money now.
Sorry,
Jed.

On Mon, Jan 31, 2011 at 5:06 PM,   wrote:

Anything's possible, this seems like a rather specific attack.  I can't
believe this.  Can you tell where these Ip addresses are?

Quoting Jed McCaleb <[email protected]>:
Could someone have got your password somehow?

XXX.XXX.64.10
77.222.42.204
XXX.XXX.64.10
XXX.XXX.56.44

These are the IPs that have logged into your account
Jed.

On Mon, Jan 31, 2011 at 4:54 PM,   wrote:

Someone hacked my account and did this.

Quoting Jed McCaleb <[email protected]>:
Looks like you sold them and sent them to Liberty reserve account:
U0764959

On Mon, Jan 31, 2011 at 4:45 PM,  <###########> wrote:

XXXXXXX

Quoting Jed McCaleb <[email protected]>:
What is your username?

On Mon, Jan 31, 2011 at 4:22 PM,  <##########> wrote:

I just logged into mtgox and all my bitcoins are gone.  I'm
freaking
out.
 What happened, please respond.
hero member
Activity: 489
Merit: 505
February 01, 2011, 02:51:28 PM
#63
My account is one that was compromised. My password is randomly generated and strength is 100% according to that site.

My password is above and beyond safer than necessary. A dictionary attack is very unlikely.
Next best guess: sniffing traffic. Are you using the HTTP or the HTTPS URL to log in?
sr. member
Activity: 364
Merit: 252
February 01, 2011, 02:48:41 PM
#62
My account is one that was compromised. My password is randomly generated and strength is 100% according to that site.

My password is above and beyond safer than necessary. A dictionary attack is very unlikely.
hero member
Activity: 489
Merit: 505
February 01, 2011, 02:43:08 PM
#61
Just to add another statement: I too am seeing the Payment Process united transaction, with exactly the same time, looks a lot more like a cron job to me. If the database were compromised as some people suggested there would not be any entry, they'd just sent the money off without being so polite as to inform the users where the money went. Same for the platform compromised discussion.

My best guess is that it was in fact a dictionary attack. Could the affected people please share the strength of their password using http://www.passwordmeter.com/ to not publish real passwords on the Forum?

My account doesn't seem to be compromised since it still shows me my dollar balance like I left it a few weeks ago.

Still waiting for an official statement by MtGox Cheesy
administrator
Activity: 5222
Merit: 13032
February 01, 2011, 02:35:01 PM
#60
User credentials are passed along in clear text with GET method, not POST method.
That's sad man, anyone able to sniff the server traffic would have all the credentials.

POST is also easily-readable plaintext... GET is just visible in the URL. GET parameters are encrypted when using HTTPS.
legendary
Activity: 980
Merit: 1020
February 01, 2011, 02:22:36 PM
#59
I am not wrong, I might be not very well informed  Grin

Yea, it might be worse. Speculating further, in presence of virtually no useful information, just knowing general way how web developers do stuff these days  I would guess that this might be a SQL injection attack, where attacker got to  user auth database and bruteforced  password hashes (probably even using a bunch of 5970 Smiley.

Hopefully, mtgox will come up with a statement and stop all these speculations soon.


Maybe you could start a bitcoin security company in which you certify sites for following security protocols?
Pages:
Jump to: