CLARIFICATION OF MT. GOX COMPROMISED ACCOUNTS AND MAJOR BITCOIN SELL-OFF
Dear members of the press and Bitcoin community,
March, 2011 – MtGox.com (Mt. Gox), now the world’s leading Bitcoin exchange, was purchased
by Tibanne Co. Ltd. As part of the purchase agreement, for a period of time, Tibanne Co. Ltd
was required to pay the previous owner a percentage of commissions. In order to audit and verify
this percentage, the previous owner retained an admin level user account. This account was
compromised. So far we have not been able to determine how this account’s credentials were
II. Bitcoin Sell-Off
On June 20th at approximately 3:00am JST (Japan Time), an unknown person logged in to the
compromised admin account, and with the permissions of that account was able to arbitrarily assign
himself a large number of Bitcoins, which he subsequently sold on the exchange, driving the price
from $17.50 to $0.01 within the span of 30 minutes. With the price low, the thief was able to make a
larger withdrawal (approximately 2000 BTC) before our security measures stopped further action.
We would like to note that the Bitcoins sold were not taken from other users’ accounts—they were
simply numbers with no wallet backing. For a brief period, the number of Bitcoins in the Mt. Gox
exchange vastly outnumbered the Bitcoins in our wallet. Normally, this should be impossible.
Unfortunately, the 2000 BTC withdrawn did have real wallet backing and they will be replaced at Mt.
Gox’s expense. Again, apart from the compromised admin account, no individual user’s account was
manipulated in any way. All BTC and cash balances remain intact.
Given the relatively small amount of damage considering what was potentially possible, we have
to question what the true motives of the attacker were. Perhaps the attack simply was not well-
orchestrated but the possibility exists that the attacker was more interested in making a statement,
hurting Mt. Gox’s reputation, or hurting the public image of Bitcoins in general than he was in any
III. Database Breach
Late last week we discovered a SQL injection vulnerability in the mtgox.com code that we suspect
is responsible for allowing an attacker to gain read-only access to the Mt. Gox user database. The
information retrieved from that database included plain text email addresses and usernames, unsalted
MD5 passwords on accounts that had not logged in since prior to the Mt. Gox ownership transfer,
and salted MD5 passwords on those accounts created or logged in to post-ownership transfer. We
speculate that the credentials of the compromised admin account responsible for the market crash
were obtained from this database. The password would have been hashed but it may not have been
strong enough to prevent cracking.
Regrettably, we can confirm that our list of emails, usernames and hashed passwords has been
released on the Internet. Our users and the public should know that these hashed passwords can be
cracked, and many of our users’ more simple passwords have been cracked. This event highlights the
importance of having a strong password, which we will now be enforcing. We strongly encourage all
our users to immediately change the passwords of any other accounts that now or previously shared a
password with their Mt. Gox account, if they have not done so already.
IV. Present Steps
We have been working tirelessly with other service providers in order to mitigate the potential
damage to our users caused by the security breach. We’ve been informing our users to be especially
cautious of Bitcoin-related phishing attempts at the email addresses associated with their Mt. Gox
accounts. Users should continue to be especially observant of indicators of account compromise with
other services—especially email and financial services.
We would like to give a special thanks to the Google team who were extremely proactive about
flagging and temporarily locking customer accounts that appeared in our stolen user list. Their quick
response no doubt significantly reduced unauthorized account access to Gmail addresses associated
with Mt. Gox user accounts.
We’ve been actively researching the origin of the attack that led to the compromise of Mt. Gox’s
previous owner’s admin account; however, our priority has been getting the Mt. Gox service back
online and getting people access to their funds. We were finally able to simultaneously relaunch the
service and launch our new site, with greatly improved security and back end, on June 26th, 2011.
V. Future Steps
The new Mt. Gox site features SHA-512 multi-iteration, triple salted hashing and soon will have
an option for users to enable a withdraw password that will be separate from their login passwords.
Other security measures such as one-time password keys are planned for release very soon as well.
The recent successful attacks on huge institutions like Sony and Citibank remind us that nobody
is impenetrable. We are now operating under the presumption that another security breach will
happen at some point in the future and we are implementing layers of fail-safe mechanisms to greatly
limit the amount of damage possible. Of course, we’re doing our best to make sure those fail-safe
mechanisms are never necessary.
While we are making great strides with the advancement of our security, we should remind our users
that they too play an important role in securing their accounts. Please use a long password—the
standard is not whether a person could guess it but rather whether a computer could guess it—and
computers can guess pretty fast. Please do not share passwords across services—where passwords
are shared, a compromise at one service means a compromise at all services. Help us help you.
The truth is that Mt. Gox was unprepared for Bitcoin’s explosive growth. Our dated system was built
as a hobby when Bitcoins were worth pennies a piece. It was not built to be a Fort Knox capable of
securely handling millions of dollars in transactions each day.
We can attempt to blame the owner of the compromised account for the recent events but at the end
of the day the responsibility to secure the site and protect our users rests with us. The admin account
responsible had more permissions than necessary, and our security triggers were not as tight as they
could have been.
Since the change of ownership, we have actively been patching holes while at the same time building
a new Bitcoin exchange from the ground up. Going forward, we are certain that the launch of the
new site will exceed the rightful expectations our users have of the service. We only hope that we
can once again earn the trust of the Bitcoin community. In the meantime, we sincerely appreciate the
patience all our users have shown.
We’ve got a backlog of emails we’re catching up on now but if you have any questions or comments
about the recent security breaches and events, Mt. Gox in general, its founder or Bitcoin, please do
not hesitate to contact us. We’re reading every message and we’ll get back to you as soon as we can.
Mark Karpeles - CEO
Tibanne Co. Ltd.