Bitcoin Flashcrash on Mt.Gox
June 19th, 2011Update: Mt.Gox User Database Stolen, Service Down
There’s ugly, there’s fugly and then there’s…
Via: Mt.Gox:
[Update – 2:06 GMT] What we know and what is being done.
It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven’t been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.
We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.
Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.
When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.
Once Mt.Gox is back online, trades 218869~222470 will be reverted.
—End Update—
Update: Compromised Account – Rollback Underway
Via: Mt.Gox:
Huge Bitcoin sell off due to a compromised account – rollback
Mark Karpeles
posted this on Jun-20 04:07
The bitcoin will be back to around 17.5$/BTC after we rollback all trades that have happened after the huge Bitcoin sale that happened on June 20th near 3:00am (JST).
Service should be back by June 20th 10:00am (JST, 01:00am GMT) with all the trades reversed and accounts available.
One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.
Apart from this no account was compromised, and nothing was lost. Due to the large impact this had on the Bitcoin market, we will rollback every trade which happened since the big sale, and ensure this account is secure before opening access again.
—End Update—
Bids were wiped out down to 0.01 on Mt.Gox just now.
Here’s a screen capture from BitcoinCharts. Look at the green arrow:
Bitcoin Flashcrash on Mt.Gox
I was trying to enter buy orders under 1 but I couldn’t get filled. Volume was definitely going off down there. It wasn’t bad prints. Traders with orders on the book far below the market definitely got filled low. People on the bitcoin subreddit are claiming to have been filled at various levels between 6 and 1.
The main reason I’m posting this is to let you know that, when the media write stories about this days from now, you don’t need to bother submitting them. Thanks! Been there, done that, didn’t get the T-shirt, or my buy orders filled.
