An anonymous hacker used phony Bitcoins (BTC) last month to drive down the price of the online currency from $17.50 to a penny within the span of 30 minutes, Bitcoin exchange firm Mt.Gox has revealed. The hacker was able to create 2 million fake BTC by manipulating the company's trading database after gaining access to a compromised administrator account on June 19, according to Adam Barr, head of support for Mt. Gox.
The hacker also assigned about $1 million in phony cash to the compromised account. After a massive volume of Bitcoins entered the Mt.Gox system, the price of the online currency crashed, creating a buying frenzy. The online thief ultimately got away with 2000 authentic Bitcoins before the site's security measures kicked in to stop trading.
Mt.Gox said user accounts were not compromised during the exploit and has promised to replace the stolen Bitcoins at the company's expense. The fake Bitcoins and cash "existed inside Mt.Gox alone," Barr says, and could not be transferred into a wallet for use in another exchange.
Bitcoins use a public-private key system to ensure the currency cannot be forged. To sell or buy Bitcoins in your virtual wallet, you need the right private key (basically a really long number) to prove that the Bitcoins are really yours. The person on the other end of the transaction needs your public key. However, when trading happens in real time, Mt.Gox relies on a simple database tracking each user's Bitcoin and cash balances to carry out transactions, according to Barr. The public-private key setup only comes into play once the Bitcoins are taken out of trading and placed in a user's wallet.
Although the Bitcoin system allows for anonymity, user wallets can be tracked. Mt.Gox has given competing exchanges the numbers required to identify the stolen Bitcoins in the hopes the thief will not be able to turn his ill-gotten gains into hard currency. The company has also alerted law enforcement, but it's unclear if police will investigate. Mt.Gox is based in Japan.
SQL Injection Suspected
Mt.Gox's user database recently leaked online and the company suspects the anonymous hacker was able to gain access to the administrator account using the leaked information. The stolen database included e-mail addresses, user names, and encrypted passwords. It's unclear how the database was stolen, but Mt.Gox believes the hackers exploited an SQL injection vulnerability in its network that the company discovered in late June.
A typical SQL injection allows a malicious hacker to submit code into a text field submission box such as a web form asking for your name, address, and so on. If proper precautions aren't taken, a website's server will execute the code giving the perpetrator access to the site's databases. Originally, Mt.Gox suspected its database leaked online after "someone who performs audits on [Mt.Gox's] system" had their computer compromised.
Change Your Password Now
Despite using encryption, Mt.Gox is warning its users to change their passwords immediately if they didn't do so after the price crash on June 19.
"Our users and the public should know that these hashed [encrypted] passwords can be cracked, and many of our users' more simple passwords have been cracked," Mark Karpeles, CEO of Mt.Gox parent company Tibanne, LLC, says in a statement. Mt.Gox users should also change their login credentials for any other online accounts that use the same password.
Mt.Gox said it now uses SHA-512 encryption for user passwords to prevent a similar data breach in the future. The company also changed its system so that administrators cannot so easily edit the trading database, Barr says.
Since the data breach, Mt.Gox has been busy rebuilding its system to handle the massive amount of business the company says it was unprepared for.
"Our dated system was built as a hobby when Bitcoins were worth pennies a piece," the company says in a statement. "It was not built to be a Fort Knox capable of securely handling millions of dollars in transactions each day...We are certain that the launch of the new site will exceed the rightful expectations our users have of the service. We only hope that we can once again earn the trust of the Bitcoin community."