Bitcoin Price Crashes

Beardydog writes "Bitcoin trading site MtGox.com has suspended operations for the rest of the day after illicit access to at least one account resulted in a steep drop in the price of Bitcoins on the site. Commenters to the support page for the event are reporting that a list of usernames and associated email addresses and password hashes have been posted online. MtGox are currently planning to roll back all of the day's trading, email notices to all affected users, and require replacement passwords for affected accounts."

Link for master list of compromised accounts

[simoncpu was here]

Found this on the Internet: http://pastebin.com/hN7PxRhc [pastebin.com]

Re:Is it even possible to roll back a bitcoin trad

[Shadyman]

These are trades are done on a firm's website, with US$ and BTC balances stored on it. It's totally out of the hands of the bitcoin system except for deposits to (and withdrawls from) accounts on the site.

Re:Is it even possible to roll back a bitcoin trad

[superwiz]

The only thing I can think of is that they are rolling back transactions which haven't settled yet (settlement=delivery). Because once they bitcoins held in a MtGox account have been transferred out to your bitcoin wallet, they can't get it back. But while they are still held in MtGox account, the actual owner of the coins is MtGox (much like your brokerage is the actual owner of your monkey while you have money deposited with the brokerage).

It's worse than that. Very flaky players

[Animats]

"Mt. Gox", the main Bitcoin exchange, was originally "Magic the Gathering Online Exchange". Nobody really knows who runs "Mt. Gox"; it appears to be one person in Tokyo who's only reachable via email and IRC. (He must be having a terrible night; this all happened around 3AM in Japan.) It's not like there's some real financial institution, or even a funded start-up, behind this. Most, if not all, of the Bitcoin "exchanges" and "exchangers" are somewhat flaky entities. Bitcoin's ecosystem is financially very weak.

Understand that Mt. Gox is not just an exchange. It's a depository institution, like a bank. Customers have balances, in Bitcoins and other currencies, with Mt. Gox. But Mt. Gox is not regulated or audited as a bank or a brokerage, even though it holds other people's money. Accounts are uninsured.

This matters when something goes wrong and somebody gets stuck with losses. Mt. Gox claims they're going to "roll back" transactions to before the theft. But some of the money is already gone, transferred out before Mt. Gox shut down. Mt. Gox is going to have to eat some of those losses if they do a rollback. Do they have the cash? Nobody knows. They're not audited by anybody.

As for the security breach, not only is the entire file of usernames, email addresses, and encrypted passwords now widely available, so are the unencrypted passwords cracked so far. (One wonders why whomever stole the password file published it, but it may have to do with their needing help from others to crack the passwords.) As a result, TradeHill, another Bitcoin exchange based in Chile, has shut down, to avoid attacks using passwords obtained from Mt. Gox. Right now, there's no way to turn Bitcoins into dollars. (Euros, yes; right now the going rate is EUR11.51/BTC. But that market is very thin.)

Whether or not BItcoins are a good idea, the market ecosystem behind them is far too flaky.

Re:buh?

[Stellian]

Rolling the transactions back is a huger blow to that interesting experiment, and basically undermines the attempt to get bitcoins accepted as a form of currency.

Trades on the exchange do not impact the Bitcoin blockchain (transaction history) directly, in the exact same way as money is not directly transferred to/from your bank when you trade. Any market event is buffered into the virtual accounts that traders hold with Mt.gox, while the actual bitcoins are in Mt.gox's wallet and the actual dollars are in Mt.gox's bank account. You need to specifically request a transfer to get either money or bitcoins out of the system.
So the event is in no way relevant for Bitcoin. It's just a bad case of unsanitized inputs.

The e-mail from Mt.Gox.

[Gendou]

I have an Mt.Gox account but have never actually used it for anything. I received the following e-mail earlier today.

Dear Mt.Gox user,

Our database has been compromised, including your email. We are working on a
quick resolution and to begin with, your password has been disabled as a
security measure (and you will need to reset it to login again on Mt.Gox).

If you were using the same password on Mt.Gox and other places (email, etc),
you should change this password as soon as possible.

For more details, please see this:

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback [mtgox.com]

The informations there will be updated as our investigation progresses.

Please accept our apologies for the troubles caused, and be certain we will do
everything we can to keep the funds entrusted with us as secure as possible.

The leaked data includes the following:

- Account number
- Account login
- Email address
- Encrypted password

While the password is encrypted, it is possible to bruteforce most passwords
with time, and it is likely bad people are working on this right now.

Any unauthorized access done to any account you own (email, mtgox, etc) should
be reported to the appropriate authorities in your country.

Thanks,
The Mt.Gox team

Gmail also flagged suspicious failed login attempts on my e-mail account, so I had to go through a password reset process on it. Although I used a unique password at Mt.Gox, the attacker apparently is running automated login attempts using the stolen e-mail addresses and Mt.Gox passwords, so anyone using non-unique passwords is likely in trouble.

This is not really a bitcoin story

[Cyberllama]

So much as it is a MTGox story.

About a week ago the first rumors of MtGox being compromised by a SQL injection exploit began to circulate.
Here's one of the original claims from someone calling themselves Buttsec from June 14th. Others which I'm too lazy to dig up were more specific and named MtGox explictly:
http://pastebin.com/4NPemHfz [pastebin.com]

On that very same day, MTGox implemented a $1000 dollar withdrawal limit. Suspicious, right? For the past 3 days, there have been offers to sell MTGox's database of usernames and password hashes. Here's an example:

http://pastebin.com/ui0nusuZ [pastebin.com]

Today, there is this:
http://pastebin.com/hN7PxRhc [pastebin.com]
http://pastebin.com/w06pa2mB [pastebin.com] (there are many of these, the first link gives you the urls if you want to see them all)

This confirms MTGox was indeed hacked. One of the hackers offering to sell this database that came out today had even specifically mentioned that the hole he had used was CLOSED by MTGox a couple of days ago. Today, FINALLY, MTGox admits they were hacked and has sent out emails to all their users. Here is a copy:
http://pastebin.com/9Cx94wzs [pastebin.com]

In light of all of the evidence (more of which I'm sure you can find on your own), I find it very hard to believe that MtGox was not aware they had been hacked, and yet they've been denying it and operating normally (aside from the newly added withdrawal limit, which they even boast about in the linked press release). In fact, I found one reddit page of many where MtGox users were complaining there accounts had been compromised (There have been many over the past week) and the employee flat out denies that they have ANY reason to suspect they've been compromised:

Here's one such complaint among many: http://www.reddit.com/r/Bitcoin/comments/i17jd/i_just_got_ripped_off_on_mtgox/ [reddit.com]
And here's one with an employee denial: http://www.reddit.com/r/Bitcoin/comments/i2dkn/mt_gox_has_some_serious_issues/ [reddit.com]
Here's all that (purported) employees posts: http://www.reddit.com/user/MtGox_Adam [reddit.com]

Long story short: For the last week (5 days at least), I've been wondering if MtGox had been truly hacked or if someone was just trying to depress the price of bitcoins by spreading rumors. Today I don't have to wonder anymore. What I do have to wonder about is why has MtGox kept silent for the past week when ALL indications were that they KNEW. They fixed the hole, added the withdrawal limit, and yet kept on denying they had an issue when dozens of users complained of account compromises. Rather than admit the issue and try to have it fixed, they apparently tried to keep it a secret. How can we trust any company that handles security issues in this manner?

Re:The e-mail from Mt.Gox.

[Dr. Sp0ng]

Gmail also flagged suspicious failed login attempts on my e-mail account, so I had to go through a password reset process on it. Although I used a unique password at Mt.Gox, the attacker apparently is running automated login attempts using the stolen e-mail addresses and Mt.Gox passwords, so anyone using non-unique passwords is likely in trouble.

Yep. Same story for me too. Glad I enabled two-factor authentication [blogspot.com] on my Google account (and SSH to my home server while I was at it).

There's no Bitcoin market right now.

[Animats]

other USD exchanges are still running fine.

From Bitcoin.org's market table [bitcoincharts.com]:

• Bitcoin Market (also called MoneyBookers) [bitcoinmarket.com] Price 14.1, today's volume 49.9 bitcoins.
• Bitmarket.eu [bitmarket.eu] - despite the entry on bitcoin.org's chart, does not deal in USD.
• Btcex [btcex.com] - site not responding, DNS server not responding.
• Bitcoin 7 [bitcoin7.com] - Price $15, today's volume 0.988027 bitcoin. (yes, < 1 bitcoin)
• Bitcoin Central [bitcoin-central.net] - Price $16.9, today's volume 43.17 bitcoins.
• Bitcoin2Cash [bitcoin2cash.com] - Price $17.50, today's volume 82.75 bitcoins.
• Exchange Bitcoins [exchangebitcoins.com] - Price $14.85, today's volume 41.6 bitcoins.

Look at those tiny volumes. Total volume for all the little guys is under 0.1% of Mt. Gox, which was trading over 200,000 bitcoins per day. With Mt. Gox and TradeHill off-line, the market is dead. None of those little guys have any significant buyers available.

Re:BitCoins are simply a hobby, not a currency

[Anonymous Coward]

It wasn't until bitcoin that I understood the point of constant inflation: it makes credit feasible. You can only borrow safely if you can be almost certain money won't increase in relative value in the future, and to make a borrower feel truly safe currency value should have a near certainty of decreasing somewhat. With significant deflation a possibility you can't even take out a car loan without simultaneously risking indentured servitude; it would be insane to take home or business loans, and I don't mean figuratively insane, either.

Good points, I'd like to add that this isn't just a theoretical worry. In the 1800s, the dollar was hit with very high year to year deflation or inflation (despite basically no long term inflation). Farmers at the time would often take out loans to buy seeds and then pay them back once they sold their produce the following year. Many went bankrupt when deflation made their crops sell for 30+% less than expected but left the terms of the loan unchanged.

Say what you will about the Federal Reserve, they have kept the dollar remarkably stable in terms of inflation and deflation compared to what came before.