Hacker News new | past | comments | ask | show | jobs | submit login

[Update - 2:06 GMT] What we know and what is being done.

* It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.

* Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.

* We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.

* Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.

* When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.

* Once Mt.Gox is back online, trades 218869~222470 will be reverted.

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell...




I for one certainly wouldn't be going back. [MD5] is enough to tell me they only half heartedly care about securing user data, no matter how many buzz words they throw in now.


"We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified."

Ah, that's why I had to change my password then.


Yes, I was also worried when I saw the suspicious activity flag had been tripped on my acct., but apparently that doesn't actually mean that anyone actually tried anything, just that our e-mails appeared in the list.

Luckily I never reuse passwords for important stuff like e-mail or anything that touches money...


This allowed for someone to pull our database ... so in effect the site was not hacked.

Weasel words. If someone has a dump of your database, then your site was hacked.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: