This is IMHO of course..
First of all MTGox was hacked down around 3 days ago or so - http://forum.bitcoin.org/index.php?topic=19649.0
There are 2 variants:
1. Hackers got access to data in database ONLY through SQL injection - it's "oh my God" scenario.
2. WHOLE box was compromised some how (through unpatched software) - it's "Holy shit" scenario..
Personally I see "oh my God" scenario took place...
They got access to WHOLE db - not only login/passwords.
They found account with MOST BTC on it..
It took them couple of days to crack the password (these guys know what hash means
)
They calculated how far they can push price down and put their bids there...
Then they got logged in with it and pressed "SELL ALL IN" button...
Now they have cheap bitcoins and wait for noise to settle down and cash out.
Ramifications for "oh my God"..
1. Hackers continue to break passwords to top 10 accounts...
2. SQL injection hole is still there and it can happen again EVEN after forced password change.
No "Holy shit" scenario took place..
If it was the case, they would simply send away all coins from account. But I don't think MTGOX will try to hide this.. I mean he is not that stupid to try it...
First of all MTGox was hacked down around 3 days ago or so - http://forum.bitcoin.org/index.php?topic=19649.0
There are 2 variants:
1. Hackers got access to data in database ONLY through SQL injection - it's "oh my God" scenario.
2. WHOLE box was compromised some how (through unpatched software) - it's "Holy shit" scenario..
Personally I see "oh my God" scenario took place...
They got access to WHOLE db - not only login/passwords.
They found account with MOST BTC on it..
It took them couple of days to crack the password (these guys know what hash means
)They calculated how far they can push price down and put their bids there...
Then they got logged in with it and pressed "SELL ALL IN" button...
Now they have cheap bitcoins and wait for noise to settle down and cash out.
Ramifications for "oh my God"..
1. Hackers continue to break passwords to top 10 accounts...
2. SQL injection hole is still there and it can happen again EVEN after forced password change.
No "Holy shit" scenario took place..
If it was the case, they would simply send away all coins from account. But I don't think MTGOX will try to hide this.. I mean he is not that stupid to try it...
Their Buy order will be rolled back, so they won't get those coins. They could have only transferred $1000 US out of the account in question.
That said, if you use your Mt. Gox password anywhere associated with the email address or username on the account, you're screwed.
Fortunately my MtGox account name was unique to MtGox, the password was unique (and very strong), and I didn't associate an email address with my account.
There are 61,017 rows in the password file. That's a crapton of IDs, Emails, and Hashed passwords. Anyone saying you cannot login with the info is flat out lying. You can brute force anyone with a weak password in the file, and immediately start attacking their accounts.
They have the file (as do thousands of other wannabees). They have a LONG time to work on it. Change all of your passwords associated with your username or email address, especially high-value targets like PayPal, Facebook, eBay, your bank, etc.
