Pages:
Author

Topic: My MtGox account was just exploited - 3 BTC stolen [old news] (Read 3564 times)

member
Activity: 88
Merit: 10
Yes to the "does it work with Google Authenticator" question. That's what I use for 2FA for Gox.

Me too, now.
420
hero member
Activity: 756
Merit: 500
I am assuming no 2FA enabled?

With password compromise usually it is
a) phishing attack
b) password re-use on another compromised site
c) keylogging


I am sure you realize it in hindsight but a 20 char lastpass passwords protecting a 6 char account password doesn't enhance security. Still I doubt you were brute forced as the account probably would be locked. 

how often is keylogging done and how can we tell
especially for windows 7
legendary
Activity: 1554
Merit: 1222
brb keeping up with the Kardashians
Yes to the "does it work with Google Authenticator" question. That's what I use for 2FA for Gox.
member
Activity: 88
Merit: 10
I doubt it is "Big Brother" access at your workplace. MtGox uses SSL throughout, it is close to impossible for anyone to see any data sent between you and mtGox.

(Sorry to necro the thread, but I just saw this reply)

I don't think it was my employer either, but it's possible.

SSL puts the barrier high for intercepting the conversation in transit, but it's possible it could be MitM'd. Much more likely is that a combination of screen captures and keylogger would give it away. But, like I said - I don't see this as likely in my environment.
full member
Activity: 150
Merit: 100
I doubt it is "Big Brother" access at your workplace. MtGox uses SSL throughout, it is close to impossible for anyone to see any data sent between you and mtGox.
member
Activity: 88
Merit: 10
Update in OP.
member
Activity: 88
Merit: 10
Unless you used the same password somewhere else it was most likely the Android tablet.
That's why we need this: http://www.indiegogo.com/projects/freedroid

I think we'll see if that were the case.

My tablet is a Samsung Galaxy Tab 2, running a Cyanogenmod 10.1 nightly. I have BitcoinSpinner on there that housed my "just in case" coins - in other words, it was equivalent to my checking account, with around 50 coins most of the time.

I've left 3.xxxx coins on the device, at that address, to see if they're taken as well. If they are, then I can safely assume that is the vector.

I also left 3.xxxx coins in a Blockchain.info wallet, which I created on my work PC and stored the login credentials in a word document marked "Bitcoin Info" on my desktop.

If neither of those disappear, I really don't think my devices are the origin.

ETA: If both disappear, I guess I'll start suspecting my wife or my 4-year-old little girl Smiley
member
Activity: 88
Merit: 10
Could you clarify the order of events:

You registered with mtgox with a weak pw
The "big" mtgox hack happened, user info leaked, some passwords cracked and phished
You changed your pw to a strong one
Your account gets hacked and 3 btc stolen

Right?

Not quite.

I registered with MtGox, just prior to the first bubble.
The MtGox hack happened.
I changed my password, to <4-letter word><2-digit year>.
Many months passed
Unauthorized withdrawal occurred
I changed to a real password
member
Activity: 88
Merit: 10
Yeah, I know. 3 BTC.

Still, I was wondering - is there a new vulnerability out there I don't know about?

I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.

My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year.  That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.

I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.
Interested as well...

You're saying that your woefully weak password had been changed for more than a year?  How strong is the new one, and when exactly did you change to the new one?

No, my password was changed a week or two after the break-in, whenever that was. I'm not a very active user of Bitcoin, and certainly not of MtGox. Apparently, I decided to use a very weak password then, probably for expediency, since I knew of the hack and changed it just in case I forgot later.
Interesting...

I'd put money on the weak password being "guessed", but I am not sure how much MtGox does to stop guessers.  Still, someone with a large botnet could have them all trying various combinations of passwords with various usernames derived from that MtGox hack list until they find one that works.  That'd get around any IP-based bruteforce detection.  English word + two digits is probably fairly high on the list of "to try" combinations for dictionary attacks.
Even with the information I've given here, there are still somewhere between 900k and 2m permutations for that password. IP-based locks are one thing - but if an account had attempted to log in tens of thousands of times, you'd think they'd lock the account.

No, the person who did this almost certainly knew my password, either through obtaining a hash and applying a rainbow table to it, through some sort of keylogger, intercepting it on the wire, or through having access to it on another site. I don't *think* the last one is the case.

A MitM seems quite complex for this. I'm thinking the most likely scenario at this point is a either a vulnerability in MtGox's site, or someone at my workplace with access to their corporate "Big Brother" crap.

If no one else is complaining, I'm leaning heavily toward the latter - which is not to discount my own culpability, even a little. At the time I set that password, I was a fairly technical user but somewhat naive security-wise. That's by far the most likely, that they've had my password for months and have waited to use it.

Odd they chose now - I've been playing the market for a few weeks, starting with 1 BTC and working my way up to the 3 that was lost. They must not be checking often.

I hope I get ahold of account login logs Smiley That would give me something to chew on.
hero member
Activity: 899
Merit: 1002
Unless you used the same password somewhere else it was most likely the Android tablet.
That's why we need this: http://www.indiegogo.com/projects/freedroid
member
Activity: 88
Merit: 10
put 2 factor authentication on withdrawals, then you'll never lose anything in your mtgox account again.

Yep.

I'm digging in their interface now, it looks like they offer software auth. If that will work with Google Authenticator, I'll probably use that.

Another thing they could do (they may, I don't know) is offer an option where withdrawals may only be made to addresses from which deposits have been made.
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
Could you clarify the order of events:

You registered with mtgox with a weak pw
The "big" mtgox hack happened, user info leaked, some passwords cracked and phished
You changed your pw to a strong one
Your account gets hacked and 3 btc stolen

Right?
legendary
Activity: 1400
Merit: 1005
Yeah, I know. 3 BTC.

Still, I was wondering - is there a new vulnerability out there I don't know about?

I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.

My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year.  That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.

I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.
Interested as well...

You're saying that your woefully weak password had been changed for more than a year?  How strong is the new one, and when exactly did you change to the new one?

No, my password was changed a week or two after the break-in, whenever that was. I'm not a very active user of Bitcoin, and certainly not of MtGox. Apparently, I decided to use a very weak password then, probably for expediency, since I knew of the hack and changed it just in case I forgot later.
Interesting...

I'd put money on the weak password being "guessed", but I am not sure how much MtGox does to stop guessers.  Still, someone with a large botnet could have them all trying various combinations of passwords with various usernames derived from that MtGox hack list until they find one that works.  That'd get around any IP-based bruteforce detection.  English word + two digits is probably fairly high on the list of "to try" combinations for dictionary attacks.
member
Activity: 88
Merit: 10
I am assuming no 2FA enabled?

With password compromise usually it is
a) phishing attack
b) password re-use on another compromised site



No 2FA. I don't believe the password was re-used, but it's possible. I only got serious about security a year or so ago, after my initial involvement with Bitcoin and the security/cryptography fields that it led me to.

My account ID is my actual first and last name.

I'm confident I wasn't phished.
legendary
Activity: 1638
Merit: 1001
₪``Campaign Manager´´₪
Not much use to you now, but you might want to use a Yubikey on gox in the future.
They offered me 1 for free, don't know if that offer still stands or if you have to pay for it nowadays.
legendary
Activity: 1806
Merit: 1003
put 2 factor authentication on withdrawals, then you'll never lose anything in your mtgox account again.
donator
Activity: 1218
Merit: 1079
Gerald Davis
I am assuming no 2FA enabled?

With password compromise usually it is
a) phishing attack
b) password re-use on another compromised site
c) keylogging


I am sure you realize it in hindsight but a 20 char lastpass passwords protecting a 6 char account password doesn't enhance security. Still I doubt you were brute forced as the account probably would be locked. 
member
Activity: 88
Merit: 10
Yeah, I know. 3 BTC.

Still, I was wondering - is there a new vulnerability out there I don't know about?

I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.

My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year.  That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.

I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.
Interested as well...

You're saying that your woefully weak password had been changed for more than a year?  How strong is the new one, and when exactly did you change to the new one?

No, my password was changed a week or two after the break-in, whenever that was. I'm not a very active user of Bitcoin, and certainly not of MtGox. Apparently, I decided to use a very weak password then, probably for expediency, since I knew of the hack and changed it just in case I forgot later.
member
Activity: 88
Merit: 10
Some information to add:

The IP of the attacker was 37.190.151.69, which geolocated to Wroclaw, Poland. The destination address was 17GgxBiXVVTg7RFSGz2kEf3jLBhConxmQJ, where it sits right now with 6 confirmations.
legendary
Activity: 1400
Merit: 1005
Yeah, I know. 3 BTC.

Still, I was wondering - is there a new vulnerability out there I don't know about?

I'm trying to think of all the vectors that could have led to this. I have accessed my account from a PC at work, my personal Macbook Pro, and my Android tablet. The credentials are also stored with LastPass, with a >20-character pseudorandom passphrase protecting them.

My MtGox password was woefully weak, something I hadn't noticed because honestly, LastPass removed it from my line of sight. It consisted of 6 characters, the first four of which was an English word and the last 2 a number that looked like a recent year.  That has been corrected. It had been changed since the "big" MtGox break-in, though, so I don't think that was it.

I'm not really upset about this, but rather more interested to find out how it happened. I also don't blame MtGox, unless they did something stupid like allow my account to be bruteforced - but I have no indication this occurred.
Interested as well...

You're saying that your woefully weak password had been changed for more than a year?  How strong is the new one, and when exactly did you change to the new one?
Pages:
Jump to: