Mt. Gox, the most popular Bitcoin exchange, has had a database compromised and user information stolen, sparking rapid devaluation and temporary exchange freeze to halt the slide. According to a Mt. Gox breach notification e-mail sent to users on June 19th:
"Our database has been compromised, including your email. We are working on a quick resolution and to begin with, your password has been disabled as a security measure (and you will need to reset it to login again on Mt.Gox). The leaked data includes the following: - Account number, - Account login, - Email address, - Encrypted password."
Continuing, “While the password is encrypted, it is possible to bruteforce most passwords with time, and it is likely bad people are working on this right now.” As a remediation step, Mt. Gox claims they have “implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password”, as well as, “putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password.” They also claim them will revert some trades.
The first claims surface on June 14th, from someone calling themself Buttsec, saying:
"We must get the message out there that security is sorely lacking on many of the exchange sites! We will speak with some of these sites in the coming days. If your users aren't given answers, expect some information to make it to the public! ;-) "
In the next several days messages started surfacing offering to sell the database of usernames and password hashes. Mt. Gox claims their database was breached when a security auditor accessed the database from a compromised computer. The lagtime from breach to notification was over 4 days, forever in a currency market where milliseconds count, sparking fresh concerns about Mt. Gox internal operations, and spawning a heated backlash from users.
Mt. Gox recently imposed a $1000/day withdrawal limit in an effort at stabilizing wild currency swings that have accompanied the currency’s meteoric rise. It appears they see the need for some more traditional controls used by established physical currency exchanges. Despite being the most popular exchange, Mt. Gox is neither regulated nor audited, and the users’ accounts are not insured, a few issues at the top of users’ wish lists.
Other exchanges like Bitcoin Market have been unaffected by the Mt. Gox breach. TradeHill, another Bitcoin exchange based in Chile, shut down to avoid attacks using credentials compromised at Mt. Cox, hoping to stem losses. As the Bitcoin ecosystem matures, expect to see more growing pains and the resulting roller coaster ride that is typical in emerging markets. Still, there seems to be significant critical mass behind the phenomenon, in spite of the bumps along the way.
