Stop hiring the worst security auditors in the world.
They just said it was a "financial auditor".
WTF? IKR?
Topic: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT - page 2. (Read 5426 times)
June 19, 2011, 09:28:18 PM
They just said it was a "financial auditor".
WTF? IKR?
June 19, 2011, 09:22:39 PM
Stop hiring the worst security auditors in the world.
June 19, 2011, 09:19:40 PM
lol it will be fun trying to verify my IP seeing as my VPN gives me a new one everytime I connect to the net..hope its not this hard...
June 19, 2011, 09:19:09 PM
I guess that makes me feel somewhat better...
June 19, 2011, 09:15:34 PM
Quote
[Update - 2:06 GMT] What we know and what is being done.
We will continue to update as we find new information.
- It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
- Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.
- We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.
- Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.
- When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.
- Once Mt.Gox is back online, trades 218869~222470 will be reverted.
We will continue to update as we find new information.
Source: https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback
Jump to: