Bitcoin Price Crashes 642
Beardydog writes "Bitcoin trading site MtGox.com has suspended operations for the rest of the day after illicit access to at least one account resulted in a steep drop in the price of Bitcoins on the site. Commenters to the support page for the event are reporting that a list of usernames and associated email addresses and password hashes have been posted online. MtGox are currently planning to roll back all of the day's trading, email notices to all affected users, and require replacement passwords for affected accounts."
Link for master list of compromised accounts (Score:3, Informative)
Re:Is it even possible to roll back a bitcoin trad (Score:5, Informative)
Re:Is it even possible to roll back a bitcoin trad (Score:4, Informative)
It's worse than that. Very flaky players (Score:5, Informative)
"Mt. Gox", the main Bitcoin exchange, was originally "Magic the Gathering Online Exchange". Nobody really knows who runs "Mt. Gox"; it appears to be one person in Tokyo who's only reachable via email and IRC. (He must be having a terrible night; this all happened around 3AM in Japan.) It's not like there's some real financial institution, or even a funded start-up, behind this. Most, if not all, of the Bitcoin "exchanges" and "exchangers" are somewhat flaky entities. Bitcoin's ecosystem is financially very weak.
Understand that Mt. Gox is not just an exchange. It's a depository institution, like a bank. Customers have balances, in Bitcoins and other currencies, with Mt. Gox. But Mt. Gox is not regulated or audited as a bank or a brokerage, even though it holds other people's money. Accounts are uninsured.
This matters when something goes wrong and somebody gets stuck with losses. Mt. Gox claims they're going to "roll back" transactions to before the theft. But some of the money is already gone, transferred out before Mt. Gox shut down. Mt. Gox is going to have to eat some of those losses if they do a rollback. Do they have the cash? Nobody knows. They're not audited by anybody.
As for the security breach, not only is the entire file of usernames, email addresses, and encrypted passwords now widely available, so are the unencrypted passwords cracked so far. (One wonders why whomever stole the password file published it, but it may have to do with their needing help from others to crack the passwords.) As a result, TradeHill, another Bitcoin exchange based in Chile, has shut down, to avoid attacks using passwords obtained from Mt. Gox. Right now, there's no way to turn Bitcoins into dollars. (Euros, yes; right now the going rate is EUR11.51/BTC. But that market is very thin.)
Whether or not BItcoins are a good idea, the market ecosystem behind them is far too flaky.
Re:buh? (Score:4, Informative)
Rolling the transactions back is a huger blow to that interesting experiment, and basically undermines the attempt to get bitcoins accepted as a form of currency.
Trades on the exchange do not impact the Bitcoin blockchain (transaction history) directly, in the exact same way as money is not directly transferred to/from your bank when you trade. Any market event is buffered into the virtual accounts that traders hold with Mt.gox, while the actual bitcoins are in Mt.gox's wallet and the actual dollars are in Mt.gox's bank account. You need to specifically request a transfer to get either money or bitcoins out of the system.
So the event is in no way relevant for Bitcoin. It's just a bad case of unsanitized inputs.
The e-mail from Mt.Gox. (Score:5, Informative)
I have an Mt.Gox account but have never actually used it for anything. I received the following e-mail earlier today.
Gmail also flagged suspicious failed login attempts on my e-mail account, so I had to go through a password reset process on it. Although I used a unique password at Mt.Gox, the attacker apparently is running automated login attempts using the stolen e-mail addresses and Mt.Gox passwords, so anyone using non-unique passwords is likely in trouble.
This is not really a bitcoin story (Score:5, Informative)
So much as it is a MTGox story.
About a week ago the first rumors of MtGox being compromised by a SQL injection exploit began to circulate.
Here's one of the original claims from someone calling themselves Buttsec from June 14th. Others which I'm too lazy to dig up were more specific and named MtGox explictly:
http://pastebin.com/4NPemHfz [pastebin.com]
On that very same day, MTGox implemented a $1000 dollar withdrawal limit. Suspicious, right? For the past 3 days, there have been offers to sell MTGox's database of usernames and password hashes. Here's an example:
http://pastebin.com/ui0nusuZ [pastebin.com]
Today, there is this:
http://pastebin.com/hN7PxRhc [pastebin.com]
http://pastebin.com/w06pa2mB [pastebin.com] (there are many of these, the first link gives you the urls if you want to see them all)
This confirms MTGox was indeed hacked. One of the hackers offering to sell this database that came out today had even specifically mentioned that the hole he had used was CLOSED by MTGox a couple of days ago. Today, FINALLY, MTGox admits they were hacked and has sent out emails to all their users. Here is a copy:
http://pastebin.com/9Cx94wzs [pastebin.com]
In light of all of the evidence (more of which I'm sure you can find on your own), I find it very hard to believe that MtGox was not aware they had been hacked, and yet they've been denying it and operating normally (aside from the newly added withdrawal limit, which they even boast about in the linked press release). In fact, I found one reddit page of many where MtGox users were complaining there accounts had been compromised (There have been many over the past week) and the employee flat out denies that they have ANY reason to suspect they've been compromised:
Here's one such complaint among many: http://www.reddit.com/r/Bitcoin/comments/i17jd/i_just_got_ripped_off_on_mtgox/ [reddit.com]
And here's one with an employee denial: http://www.reddit.com/r/Bitcoin/comments/i2dkn/mt_gox_has_some_serious_issues/ [reddit.com]
Here's all that (purported) employees posts: http://www.reddit.com/user/MtGox_Adam [reddit.com]
Long story short: For the last week (5 days at least), I've been wondering if MtGox had been truly hacked or if someone was just trying to depress the price of bitcoins by spreading rumors. Today I don't have to wonder anymore. What I do have to wonder about is why has MtGox kept silent for the past week when ALL indications were that they KNEW. They fixed the hole, added the withdrawal limit, and yet kept on denying they had an issue when dozens of users complained of account compromises. Rather than admit the issue and try to have it fixed, they apparently tried to keep it a secret. How can we trust any company that handles security issues in this manner?
Re:The e-mail from Mt.Gox. (Score:4, Informative)
Yep. Same story for me too. Glad I enabled two-factor authentication [blogspot.com] on my Google account (and SSH to my home server while I was at it).
There's no Bitcoin market right now. (Score:5, Informative)
other USD exchanges are still running fine.
From Bitcoin.org's market table [bitcoincharts.com]:
Look at those tiny volumes. Total volume for all the little guys is under 0.1% of Mt. Gox, which was trading over 200,000 bitcoins per day. With Mt. Gox and TradeHill off-line, the market is dead. None of those little guys have any significant buyers available.
Re:BitCoins are simply a hobby, not a currency (Score:2, Informative)
It wasn't until bitcoin that I understood the point of constant inflation: it makes credit feasible. You can only borrow safely if you can be almost certain money won't increase in relative value in the future, and to make a borrower feel truly safe currency value should have a near certainty of decreasing somewhat. With significant deflation a possibility you can't even take out a car loan without simultaneously risking indentured servitude; it would be insane to take home or business loans, and I don't mean figuratively insane, either.
Good points, I'd like to add that this isn't just a theoretical worry. In the 1800s, the dollar was hit with very high year to year deflation or inflation (despite basically no long term inflation). Farmers at the time would often take out loans to buy seeds and then pay them back once they sold their produce the following year. Many went bankrupt when deflation made their crops sell for 30+% less than expected but left the terms of the loan unchanged.
Say what you will about the Federal Reserve, they have kept the dollar remarkably stable in terms of inflation and deflation compared to what came before.