Monday, June 20, 2011

The Bitcoin Nightmare

Here's a replay (via Bob Murphy) of the bitcoin flash-crash recorded in real time. Bitcoins went from $17.00 to 1 cent:

The crash occurred because of a hack of one of the bitcoin dealers, Mt Gox.

Below is a part of the post-hack reports that Mt. Gox has put out:
Huge Bitcoin sell off due to a compromised account
One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins...

Service will not be back before June 20th 11:00am (JST, 02:00am GMT). This may be delayed depending on what is found during the investigation...

[Update - 2:06 GMT] What we know and what is being done.
•It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
•Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.
•We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.
•Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.
•When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.
•Once Mt.Gox is back online, trades 218869~222470 will be reverted.

If you receive ANY email which seems coming from Mt.Gox asking you to download something (certificate, generating program, etc), DO NOT DOWNLOAD. Do not either input your password on any site which is not MTGOX.COM.

[Update - 6:30 GMT] Still here. Still working hard to get things online.
•SHA-512 multi-iteration salted hashing is in enabled and ready for when we get users reactivating their accounts
•We are going to push our relaunch time to 2:00am GMT tomorrow so we have time to launch a our new backend and withdraw passwords.
Thanks to everyone sending the supportive emails and our extremely patient users
[Update - 12:52 GMT] Account recovery page will be up tomorrow morning (Japan time)
We have almost completed the account recovery page and are waiting for result to unit tests and intrusion tests (and more than anything, don't want to put something online and go to sleep just after, best way to get screwed), so the page will be put online tomorrow morning.

It will allow every user to claim ownership of their account based on proof such as deposits, withdraws, password (if complex enough), email or notarized documentation.

Once it is deemed enough users had the chance to get their account back, the exchange will be open again (opening time will be announced at least 24 hours in advance). It will still be possible to file claims for user accounts after this.


  1. looks like the US economy

  2. If it can be hacked, it will be hacked. If it looks like a hack, sounds like a hack, and walks like a hack, it's a hack.

    They were hacked.

  3. hahahahaha

    that was ssooooo predicatable. THERE IS NO SAFETY ON THE INTERNET. LOok out for your stuff dont think the government will fix anything with more power. THE INTERNET CANNOT BE MONETIZED TRADITIONALLY.

  4. They started this with an unsalted MD5 hashing function for their passwords -- that's pretty amateur. That means that if I had '123456' as my password, if created an MD5 hash and had access to the hashed passwords, I could search for other hashes matching my password just by searching for the hash. The more hacker-oriented implication is that a dictionary attack is very simple and effective. If I hash all the words in a dictionary (and for the "geniuses" out there that think substituting '0' (zero) for 'o' makes their passwords good, all the leet alternatives are hashed as well), it's a very simple search to reverse the passwords -- very low cost.

    That's security 101 level stuff for a programmer. That shouldn't have required a security retrofit for cash accounts! That would make me want to really analyze bitcoin very carefully before using it.

  5. Bitcoin did not crashed. A hacker took control of the webpage MtGox, nobody could access the page to place new orders or anything else, and then the hacker started playing around and moving the MtGox market up and down. During that same time, the price of bitcoins in the rest of the exchanges was more volatile due to the confusion but it never crashed. I believe that it never went under $10 in any important exchange. So please, lets keep the reporting real: Bitcoin did not crash. A hacker took control of MtGox and played around with the price while everybody else was blocked.

    Btw, trading at TradeHill was restarted soem hours ago and it touched a low of $6 and is now sitting more or less stable around $15. So basically, the hacking of that webpage has not affected Bitcoin credibility.

    I want to point out also that, contrary to some informations out there, the Bitcon protocol was not compromised or hacked in any way. What happened is that a webpage that uses bitcoins and dollars, MtGox, was hacked.

  6. The crash only effected Mt. Gox. Even though the price dropped, I think it was still in the double-digits at

  7. Donald Norman from Bitcoin was on the Peter Schiff radio show yesterday. Schiff was sceptical... :)

  8. 'A hacker took control of MtGox and played around with the price while everybody else was blocked.'

    If it walks like a duck and sounds like a duck . . .

    Who in their right mind would put real money into this? Seriously. You might as well be juggling Molotov cocktails lit by FRN's. It might be fun to try out with some throw away money as an experiment, but geez. No way would I give serious cash savings into this project.

    It's software. Despite the well-intentioned attempt to create a digital, unmanipulated currency, it CAN be hacked/manipulated with enough time and effort. This is software. It will eventually happen WITH CERTAINTY.

    Talk about doubling down on fiat stupidity.

  9. Actually, despite all of the erroneous, and misinformed statements made by everybody on this comment thread....

    The code is secure, and it was the WEBSITE that was hacked. They are entirely different scenarios.

    And there ARE actual benefits to using BitCoin for working around excessive exchange rate premiums, etc.

    It IS feasible, but at the moment I wouldn't put any of my money into it.