[Update - 2:06 GMT] What we know and what is being done.
* It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
* Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.
* We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.
* Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.
* When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.
* Once Mt.Gox is back online, trades 218869~222470 will be reverted.
I for one certainly wouldn't be going back. [MD5] is enough to tell me they only half heartedly care about securing user data, no matter how many buzz words they throw in now.
Yes, I was also worried when I saw the suspicious activity flag had been tripped on my acct., but apparently that doesn't actually mean that anyone actually tried anything, just that our e-mails appeared in the list.
Luckily I never reuse passwords for important stuff like e-mail or anything that touches money...
* It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
* Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.
* We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.
* Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.
* When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.
* Once Mt.Gox is back online, trades 218869~222470 will be reverted.
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell...