Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security

June 20th, 2011, 07:37 GMT · By

Largest Bitcoin Exchange Offline due to Security Problems

SHARE:

Adjust text size:


Mt.Gox dealing with security crisis
Enlarge picture
Activity on Mt.Gox, the largest Bitcoin exchange, was suspended earlier today in order to deal with two security incidents that led people to doubt the administrators' ability to provide a secure service.

Mt. Gox admins took the website offline after a series of large transactions initiated from a compromised account led to Bitcoin prices to plummet.

"One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. [...]

"Due to the large impact this had on the Bitcoin market, we will rollback every trade which happened since the big sale, and ensure this account is secure before opening access again," Mt.Gox's Mark Karpeles announced.

Fortunately, because the compromised account had a $1,000/day withdraw limit, the hacker didn't manage to steal a large amount.

Soon after the incident, a possible source of the compromise surfaced. Apparently, Mt.Gox's entire user database was leaked online. It contains account names and hashed passwords.

The exchange has been using freeBSD-style MD5 salted hashing for the past couple of months, but accounts that haven't been used since the method was introduced still have their passwords in plain MD5 which is easy to brute force.

It was rumored that the leak was the result of an SQL injection vulnerability, however, Mt.Gox rejected this claim and said it tracked down the source to an auditor who had their computer compromised.

The admins extended the downtime in order to implement an even stronger hashing method based on the SHA-512 algorithm with multiple iterations and salting. All users will be forced to update their passwords once service is restored.

In order to do this, they will have to pass through a solid verification procedure that involves using the last IP on record, verifying their email address and providing their old account name and password.

Mt.Gox also notified Google in order to make sure that every Gmail account listed in the leaked database is locked down and can't be abused. Users who have an account at Mt.Gox are advised to also change their password on any website where they might have used it.

TELL US WHAT YOU THINK:

1,592 hits · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Bitcoin Owners Targeted via Trojans
Cyber Theft Incident Outlines the Downside of Bitcoin
Sony Pictures Data Leak Reveals Poor Password Practices

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use