MTGOX Security Incident June 19

mtgox security incident,

Information on this appeared in multiple status update retweets seen in on our @BitcoinMiner Twitter account many hours ago.

If anyone is not already aware, Bitcoin’s leading exchange Mt. Gox had a security incident recently in which data was stolen and then used to fraudulently trade.  Following that, the stolen data was released “in the wild”.

The exchange has responded by disabling logins and suspending trades while it makes repairs.  All trades that had occurred once the attack began will be rolled back to the point just prior to when the stolen data had started to be used for trading.

The security issue may affect more than just the one exchange as the result of password re-use.  If the username, email address and password from a Mt. Gox account was used anywhere else, including with a pool, with PayPal, or for email even, then those passwords used elsewhere should all be changed immediately.  

The exchange stored some passwords unsalted which makes them easily-cracked and lists of these cracked passwords have already been released in the wild as well.

The online privacy and safety recommendations include using a strong password and not using a password anywhere else.  Following this recommendation for most users makes using a password management utility mandatory.

This attack occurred against the security of a single exchange and Bitcoin itself was not compromised.  Because the one exchange is the largest (by far) this incident will impact the bitcoin community including miners – many of whom use the exchange for cashing out their bitcoins.

This will likely be a temporary setback while exchanges, ecommerce sites, and individual bitcoin users give information security the level of attention it demands.

Written on 20 Jun 2011.