Jun 20, 2011 07:37 GMT  ·  By

Activity on Mt.Gox, the largest Bitcoin exchange, was suspended earlier today in order to deal with two security incidents that led people to doubt the administrators' ability to provide a secure service.

Mt. Gox admins took the website offline after a series of large transactions initiated from a compromised account led to Bitcoin prices to plummet.

"One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. [...]

"Due to the large impact this had on the Bitcoin market, we will rollback every trade which happened since the big sale, and ensure this account is secure before opening access again," Mt.Gox's Mark Karpeles announced.

Fortunately, because the compromised account had a $1,000/day withdraw limit, the hacker didn't manage to steal a large amount.

Soon after the incident, a possible source of the compromise surfaced. Apparently, Mt.Gox's entire user database was leaked online. It contains account names and hashed passwords.

The exchange has been using freeBSD-style MD5 salted hashing for the past couple of months, but accounts that haven't been used since the method was introduced still have their passwords in plain MD5 which is easy to brute force.

It was rumored that the leak was the result of an SQL injection vulnerability, however, Mt.Gox rejected this claim and said it tracked down the source to an auditor who had their computer compromised.

The admins extended the downtime in order to implement an even stronger hashing method based on the SHA-512 algorithm with multiple iterations and salting. All users will be forced to update their passwords once service is restored.

In order to do this, they will have to pass through a solid verification procedure that involves using the last IP on record, verifying their email address and providing their old account name and password.

Mt.Gox also notified Google in order to make sure that every Gmail account listed in the leaked database is locked down and can't be abused. Users who have an account at Mt.Gox are advised to also change their password on any website where they might have used it.