I think it would be a  good idea to at least enforce a password change for all accounts when the site comes back up. Just to be safe.

I agree on that!

This was handled/ is being handled well by everyone at mtgox and i appreciate it!

Can't be good for anyone who panic traded on other exchanges..

What is your response to the claims that all user account info was hacked via SQL injection? Have you fixed the issue or whats to stop it being exploited again?

How about a e-mail confirmation also for withdrawals over a certain amount?

yes, at leat one should be forced to have a fairly save PW, I mean lite 12+ chars

Very good you are rolling back everything. Otherwise I'd have killed myself for missing the chance to become a millionaire :D

Two factor authentication (SecurID, OTP, whatever), just like any bank does these days.

While you are fixing security issues, is there a way to allow login without the user/pass being sent via a GET?

Are you certain that an account was compromised or that the account itself was a collection of compromised BTC? Some time should be spent thinking about the result of when/how you determine intervention should be applied to the market.

See: http://blockexplorer.com/address/1KLahQtqDNAXvrjNyfvgSBtAhwco5ZxLp4  For what i'm talking about. This address received large sums of BTC from many different addresses all at one time a week ago. That BTC was then transfered to MtGox and dumped on the market at once.

All web browsers have public key criptography capabilities. Have the computer generate a public key pair during setup of the account and force the user to authenticate with that private key as well as her password. That will add some security to all. There's also Liberty-Reserve-like OTP, or even a hardware device would do for some clients with lots of bitcoins.

Bitcoin is not the small newborn baby it used to be last year, and Mt. Gox needs to grow up as well.

Maybe reasonable Close entire trading  when rate changes more than 50% in a hour

percent and time is variable

All the best Mark...With you on this.....get it back up with double force.....

I also don't see how you can rollback transactions without losses. I had a trade that executed as the market dropped, shortly after I got spooked and withdrew my BTC (less then 100 more then 10) to my wallet. That BTC is now in my wallet confirmed. How can you possibly roll that back?

I hope you will help me:

My account is duy1124

Please reset its password back to 3 days ago. It was hacked and changed yesterday. (6:00 AM 19-06-2011)

Thank you a lot...

It would be nice if you could explain this --> http://forum.bitcoin.org/index.php?topic=19543.0

Also to confirm.  someone posted this.    Mark please view this link to confirm or deny it. :(   

http://forum.bitcoin.org/index.php?topic=19543.0

@fbaligantOTPs? Heard about RSA being hacked? LOL

SecureID is not secure anymore. With the private keys stolen from RSA, they have the master keys of all sercureID tokens.

In fact, Lockheed Martin has been hacked through the hack from RSA, don't believe me?

http://www.dailytech.com/Reports+Hackers+Use+Stolen+RSA+Information+to+Hack+Lockheed+Martin/article21757.htm

I think if MTGox reset accounts' password to 12:00 AM 18-06, ot will be very appreciated.

Maybe the true owners can change pass before hacker can do something.

You should add a captchaattempts. This would 

Sorry it cut of my thing. Add  a captcha and only allow so many incorrect password attempts.

http://www.bitprotection.info   

Why should everyone who profited from the crash suffer your inablitiy to secure the site?

Anyone who owns shouldn't have 500K in his Mt Gox account anyway (and make sure no one gets his/her password).

So, everyone who got cheap bitcoins today will have them reversed??? THAT is stealing!

Please give a statement to that!!!

This is BS.  The people that made money by buying low and then withdrew their bitcoins immediately after the crash in the panic will keep thier earnings.  Along with many suffering losses off this exchange.  None of these you can erase or take back.  Meanwhile, it is the rest of us that get screwed.  I want access to my account and my Bitcoins now!!!!  I've lost faith in your site and want to access my account.  ASAP.

You sir, are fucked. Don't drop the soap in prison.

Yes, I will personally consider financing a class-action lawsuit if any trades are reversed.

You have a CSRF vulnerability in your website. Strong passwords and antivirus software wont help us. The users arn't getting hacked its your site getting hacked. Its not safe to keep any bitcoins in a mtgox account. It safer to withdraw them.

I AM AGAINST ROLLBACK!!!  (I don't even see how that would work anyway - for the above stated reasons).

Looking for supporters ! (I am sorry for the guy who lost 500K BTC - but, honestly who owns 8.750.000 USD in Bitcoins and cannot secure his/her password doesn't deserve any better!!!)

I'm in with you Jamie.  I will sue these fuckers into the ground.  It's not our fault you lost control of your own fucking site.  Open it NOW.

I am in the classaction. Who can you be reached?

The leaked account info is ligit.

Just downloaded, it contains:

|    account no.    |      username      |     email address     |      $1$hashed password      |

Everybody that chose a sufficiently complex password should not worry too much i guess.

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

NO ROLL BACK

Yeah, I'd like to know exactly how you are going to rollback moved-out money. Then there is the problem of the possible crash of the market 5 minutes after you reopen it. And considering your site is quite s***** when there are more than a few persons trying to operate on it, it will be fun! And it isn't clear how much money you truly have and how much you exposed yourself and if you are truly solvible for all the money/btc persons deposited in your site.

I really hope that the passwords are salted.

It would be terribly stupid and incompetent of the administrators if they weren't.

By the way, the roll back is a stupid policy. What are we playing?

There is no CTRL+Z in real life.

Tibanne Co. Ltd. Headquarters

Tel: +81 (0)3 4550 1529
Fax: +81 (0)3 4588 3915

Here is the info for anyone who wants to know where Mt Gox is:

http://legal.tibanne.com/

How about a chance to remove standing orders?

btw, good luck to whoever tries to crack my password.

Even in a cluster of supercomputers in a Class F (1,000,000,000 passwords per second) attack, it would take a millennium to crack it.

So everyone is somewhat alright with the fact that someone managed to get a recent dump of the Mt. Gox DB. If that happened (short of massive incompetence) the system has been compromised and an unauthorized user has at least partial access to the Mt. Gox backend.

бля пишите по русски суки :D

How do we know you still have the funds and bitcoins users of the site are trading? Any statement on that?

Just LOL

This is a very big lesson to everyone here TO REMIND US:

1) Use a damn strong password you dimwit. Alphanumeric passwords longer than 13 characters are almost unbreakable in our lifespan (and if you add just only ONE symbol it becomes practically uncrackable for two lifespans)

2) Don't fucking the same passwords in different sites. Reusing the passwords is the dumbest thing you can do.

3) Don't put all your eggs in one nest.

BTW, MtGox: this is not a game. There is no "roll back" in life. 

The hacked account got hacked by a sum and coincidence of negligences, both YOURS (lame security) and the USER's (lame policies).

If you want to compensate the poor fool, it is up to you.

But reverting the whole market (that is all of us) is another huge mistake, not even mention setting up an arbitrary price in the market, that is simply insane.

I assure you, IF YOU GO AHEAD with reverting back transactions, it will mark the beginning of the end of MTGox: NO ONE WILL EVER TRUST YOU AGAIN EVER. Who knows when my purchases will be reverted back in a whim AGAIN?

MTGOX: Don't make one wrong to three.

If anybody feels like complaining:

http://complainr.syx.sk/

Would it not be a good idea to have automatic circuit breakers in place to prevent extreme market instability like this?

A 700% drop in price in a couple of minutes should not be seen as normal trading activity.

Of course people are going to be hopping mad if they miss out on opportunities either way, but with automatic safeguards in place this would also be lessened somewhat.

So because one account failed to protect itself, everyone must suffer?

Yes, the account lost its coins and that lead to the market being flooded with coins, dropping the price down, but how is that EVERYONE's problem? It's YOUR problem and the OWNER's problem.

I am curious to know what the per bitcoin value of the $1000 withdrawn was at the time.  Were they $1000 at $5 each or $13 each?  Can't say I'm terribly pleased at the idea of not getting the coins I bought at $14.01 while it was on it's way down, but no matter how they do this it's going to be a huge mess.  I am really surprised that there weren't any kind of safeguards in place.  I would have thought the last big drop would have made that a priority.  I suspect the exchange will loose out more than anyone else in the long term.

However the outcome is, I'm withdrawing my coins and moving to another market.

I even emailed you guys about how to secure the accounts and how to enforce better security. I guess you haven't had the time to check the email (hopefully you didn't just ignore it).

Anyone else check their username and email in the leaked database?  My correct email was not associated with my user account.  This could be a big problem when Mt.gox goes back up if they are sending verification emails to the wrong email addresses. 

Tradehill

I had to make new account. I singed up a few days ago...

I somehow have the feeling here happened a big, big mess. Will be even more messy if you roll something back, it's not going to work.

You guys are done.  DONE.  This is one users account that got hacked.  You are making us all suffer.  Total bullshit.  I want access to my account NOW.  How many times do I need to FUCKING repeat it.  I want all of my coins out of your system.  There is no fucking Rollback in life.  You fucked up.  Not me or anyone else.  If you make us pay.  You are over as an exchange.

alalalalum

http://en.wikipedia.org/wiki/2010_Flash_Crash

http://www.google.com/search?q=Market+rollback

As others have said you are taking one big problem and turning it into many by rolling the transactions back, not to mention opening yourself up to serious legal threats in both the US and Japan. I missed out on the fire sale so I expect my BTC are going to be worth much less since I bought at over $20 and you are just making it worse.

Rollbacks/broken trades happen all the time in the stock market, there is nothing wrong with a rollback.  I've seen this happen many times on the Nasdaq and the NYSE when someone gets a fill that is too far outside the current bid/ask spread by using an outside ECN.  I've also seen trades for large sections of time all broken because of computer errors, quote errors, ect.  It's not fair for everyone, but rollbacks are common in financial markets.  The rollback is not the issue, making sure all of the accounts are secure when they go back live is the issue. 

@stephen They have already stated that no other accounts have been compromised.  People made serious money and bailed.  Then they screw the rest of us.  Sorry, but if the system isn't in place BEFORE the crash.  I am not subject to their terms after the FACT due to MTGOX's incompetence.

Stephen, Yes this happens however not having the market halt before literally executing ALL BUY orders on the entire market is completely different then what happens on NYSE and other markets and in that sense it's not a good comparison.

haha, all the guys that profited from the crash are crying "No! don't roll back, it's not going to work !"

Honestly guys, of course Mt.Gox cannot undo transactions of bitcoins that have been withdrawn from the accounts. But I'm fairly sure that this ammount is fairly small and they simply pay the difference out of their own pockets. So, they can do and they will regardless of how much you yearn for it not to become true.

But an automated protection mechanism that suspends trading if a big crash happens really should be installed -better said- should have been installed IN THE PAST ALREADY. Same is done on the big Markets to prevent the marked from crashing too extreme.

MtGox, please roll back email information for my account

Hacker change my pass, and delete my email, too

If you roll back it, i will be appreciated

Thank you

ID: duy1124

Brian, I disagree, on the Nasdaq and on the NYSE hundreds of thousands of trades are broken when they rollback due to an error or an obvious problem.  They almost never catch these things immediately and many, many orders get executed before the problems are stopped. 

I also disagree with the Mt.Gox statement that no other accounts have been compromised.  My email was no longer registered with Mt.gox today, I had to re-register to join this forum.  Also, I took a look at the leaked spreadsheet and the email associated with my user name was not correct.  I appears that my account may have been hacked as well. 

Was anyone able to access this forum with their original email associated with their Mt.Gox account?  It is starting to look like many accounts were hacked, clearly not just one. 

Whine all you like, roll-back is gonna happen.  Don't like it, take your BTCs and go.

Mt Gox needs to step up it's security and put in some circuit-breakers.

Yes, this should have been done already, but it's water over the dam.

I just hope they get back on line soon so I can see if my account has been compromised

Maybe the roll-back has jacked up the accounts. If you use your account information some where other than here Iwould still change it to be safe.

@Stephen

Hmm, this is alarming me. Did you have a "strong" password ?

Luckily, in the csv-file the Email associated with my account still was correct.

Somehow funny, that data about my account that was stolen/hacked from Mt.Gox does appeace my worries :D

Yeah great - you did store the salt RIGHT IN THE HASH. MD5 is weak already, having the salt makes it a 0.5 second job for a GPU to break that hash. Ironic, isn't it?

It wasn't one person that got hacked, it was the entire site. The hacker had access to all the usernames and passwords, instead of spending 6 monhs to brute force a hash he just used his access to the database to give himself the money he didnt really have.

This means it wasn't just one persons funds that were sold off, it was everybodies including yours.

@phantm Thank you for the google link (http://www.google.com/search?q=Market+rollback

The result was: "Hennings Market Rollback Gas Rewards"

Very insightful indeed.

@Warren

Can you inform us of how the passwords were encrypted please? If they were hashed please tell us if a random salt was added. If no salt was used then it's trivial to retrieved the password, but if a unique salt for each password was used then it's unlikely that our passwords will be compromised. 

How about using OpenID like Britcoin.co.uk?
Then you can choose if you want to use a OTP, like binding PIP Verisign to your PayPal Secure Key :-)

I advise for an option for locking mtgox account based on IP or IP ranges, locking bank account withdraw address and locking bitcoin withdraw address. All these things should be changed only by trusted email or something similar.

@Conor McCarthy

Passwords are hashed using MD5 (...) and the salt is part of the hash that has been leaked (...). So your password has effectively been compromised and published since it's very trivial to retrieve. Change it asap.

Deiter, my password was "strong", but not "very strong" (according to your basic password tester site), it appears that it should have been much stronger. Anyone else check the leaked spreadsheet and have a different email on their account?

Verlorene, good point, some bit coins may have been transfered.  Let's just hope that Mt.Gox did not allow the $1000 max from every account before they shut things down. 

I wasn't able to login to this board with my original email address either. Should I worry?

Feels like this is getting a bit of a drama.

Just to answer some of the worries about the password hash included in the file:

1) It's true that md5 has been compromised, and that exploits have been found to generate hash collisions for modified certificates and files where the certificate/file content is already known.  However, this *cannot* be used to crack an unknown password more easily.  Brute force is realistically the only way.

2) The passwords are salted before hashing, and each password has an individual salt which is stored with the hash.  @mbraun is incorrect in saying this makes security weaker; in fact it makes it stronger.  To quickly cover this for those who don't know, a "salt" is a small chunk of data that is added to the start of your password before it is hashed; this prevents "rainbow tables", or lists of precomputed hashes, from being used to very easily look up passwords from a hash.  Salting all the passwords for a system means that standard rainbow tables can't be used; however, if a single salt is used, once that's known then attackers can regenerate their rainbow tables using the same salt and brute-force all the passwords in one go.  Having an individual salt for each password (which does then have to be stored with each password, so it can be used!) is much safer: it means attackers must brute-force each password individually.

You can criticise MtGox a lot for having a system that could be broken into, but their password hashing is better than much of what's out there.  I'm not saying it couldn't be improved (a stronger hashing scheme with many rounds to make brute-forcing even slower would be better), but the attackers are going to have to break each password separately so that non-trivial passwords will take a significant time to break. 

yeah but how can I change my pass with MtGox beeing down ?

So I've got to stay up all night, to try to compete in a race "who's first to my account" with the hacker ?

Shit is that

I just got the following email:

Dear Mt.Gox user,

Our database has been compromised, including your email. We are working on a

quick resolution and to begin with, your password has been disabled as a

security measure (and you will need to reset it to login again on Mt.Gox).

If you were using the same password on Mt.Gox and other places (email, etc),

you should change this password as soon as possible.

For more details, please see this:

The informations there will be updated as our investigation progresses.

Please accept our apologies for the troubles caused, and be certain we will do

everything we can to keep the funds entrusted with us as secure as possible.

The leaked data includes the following:

- Account number

- Account login

- Email address

- Encrypted password

While the password is encrypted, it is possible to bruteforce most passwords

with time, and it is likely bad people are working on this right now.

Any unauthorized access done to any account you own (email, mtgox, etc) should

be reported to the appropriate authorities in your country.

Thanks,

The Mt.Gox team

=> What does this mean and how can we reset our passwords - now that the site ist down ????

Reset my password on this [forum] account, but that is NOT the same as my Mt. Gox account.... is it?

Hello,

I do freelance security consulting....

https://ossbox.com/peerreview.htm

I would be very willing to help out.

I'm not staying up all hours of the fucking night to change my password/ log on.  I have to work.  You know the real world.  MTGOX better be online sooner than they are saying.  I want my account closed and my coins refunded.  I'm not playing this waiting game.  You could allow us to log on and change now without allowing trading.  This is BULLSHIT!

http://forum.bitcoin.org/index.php?topic=19576.0

@ruadhan Basically it does not matter what we think of having the salt public as well. Cracking a typical password (IIRC MtGox did not enforce basic passwort complexity rules) is a task which can be done within seconds. In fact it does not really make brute-forcing harder than it is, it just requires focused attacks for each password, like you correctly stated. However, the password database is available for offline attacks now, that makes it de-facto a public password list.

It might be that some sites store passwords plain-text and MtGox did not - however, this is not the time telling the people MtGox are heroes for hashing the password.

My statement was, that each MtGox user should change the password at any other service it has been used. Especially at the E-Mail service because that information has been exposed at the login. Most people use one password for multiple services, sadly.

I had made a transfer of BTC to MtGox right before you took the site down.  What will happen to that transfer?

Total disaster...

Get a 10% lifetime discount on the MtGox competitorwww.TradeHill.com by using Ref: TH-R1191 Great for Europe, WW

Get a 10% lifetime discount on the MtGox competitor www.TradeHill.com by using Ref: TH-R1191 Great for Europe & WW

The accounts.csv didnt have my email attached to.  I had to make a new account apparently with the same email, how am i to reset my password .. if you dont even know my email?

what the hell is this place

Apart from the DB breakin, I think it is shocking that one account owns roughly 1/13th of all available bitcoins at the moment anyway. Imo it should be plain impossible for one account to have such impact on the total value of the BTC. And I presume that this account is not the only mega account. Now it was a hacker, but tomorrow a real owner of one of these accounts decides to cash and totally skrews the value of our bitcoins.

This issue has completely erased my confidence in the BTC. And I think I'm not the only one. This hack will probably reset the value of the BTC in the following days. Great!

AGAIN, How do we change our password, if the site is sucking wind?

use this http://www.passwordmeter.com/

Watch live coverage of the crash

http://www.youtube.com/watch?v=T1X6qQt9ONg

Note to self: if its nakamotos account the entire market gets a free reset!

I'm shocked at the level of rudeness towards MagicalTux on this forum just because you are unable to get rich quick on the misfortune of another. Rollbacks happen all the time and regardless, you are using MtGox without any written agreement as to what can and cannot be done, so you have no say in the matter. I have some coins tied up in here too, but I for one am glad there's a method in place to fight hackers. This really amounts to receiving stolen property, and if this was "real life" you don't get your money back, they just take the coins and the thief gets away with the money, so be glad someone cares enough to protect you and don't complain that you cant snatch up all of the guys stolen coins at 50 cents on the dollar. Karma people..sheesh..

WTF?  http://pastebin.com/ui0nusuZ

Is MTGOX fucking stupid?  Allow me access to my account so I can change my password NOW!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!  You are the most incompetent people to ever run a trading exchange.  You are history as one.

I have to work and I don't want to be up all night thinking some hacker has access to my account.   If you also roll back the trades.  I'm going to sue.

I din't recieve the E-Mail "Elements" got. Did anyone else get this Email ? (The one saying the accounts are blocked until PW is reset)

I'm not exactly happy with this. I panicked and sold off loosing a few hundred, then I got my balls back transferred in a few thousand a 12bucks and made a killing on the ride up to 18+. If I continue to use the site it will be for quick get in and transfer purchases whatever direction. I am sure from the owners aspect it is just on big cluster f*ck but business is business. I was ready to accept my losses and took full responsibility. It does not seem that that philosophy exist in this company. No one trader should control the market so competition will save the day after all. I signed up with tradehill.com today as a result. If you choose do so get a deep discount by using the coupon code:  TH-R14654   (gives you a 30% discount on all trades and fees permanently).  I think I will build a trading platform closer to ameritrade. Listen out... 

Lastly, this is expected. I would actually think that the money theft is a cover or bonus. The government(s) want to know who is trading this subversive coinage and who has the most. They eventually will spend a lot of effort (government and banking interests) to cause market shocks. It is how they established themselves initially and brought down their competitors. For us to insulate ourselves against it we must be vigilant against large sell offs and news scares. Also HUGE buys to grab up coins should be watched. Encryption should be the standard at every level including the bitcoin client and dat files!!!

For those using Chrome or Firefox you get get a browser enhancement/pluging  Hash password/ and Passhashr respectively. On every site you can even use the same or a similar password then select how many digits, 6 through to 26, and it will easily "salt" and generate the hardest to crack password but easy to remember for YOU!

If anything I said helped micro bit me should you feel generous: 1BTCdnB6EeHhAEjbwefR62bPCJTH6zKyk7  (actually towards a charity that is NOT ME, lol)

@Datura: Fake - would be stupid to buy something that's already public on rapidshare. Sad but true ;-)