The Bitcoin Trials Continue: Mt. Gox Exchange Collapses Due To Compromised Account

It seems that Bitcoin is experiencing the same fits and starts that any new currency undergoes early in its history. Though Bitcoin is 2 years old, the mainstream press discovered it much more recently, and since then, Bitcoin has experienced some schizophrenic volatility — you can read Jon Evans’ recent diagnosis here.

Yet, absent from Evans’ post is the very latest news out of the virtual currency market: Late this afternoon, Bitcoin suffered from another serious setback, as the network’s most popular exchange, Mt. Gox, collapsed thanks to a hacked account. The unknown hacker(s) made an enormous sale of bitcoins from the compromised account, causing the price of the currency to fall from $17.5 to just pennies in a matter of minutes.

Mt. Gox’s Mark Karpeles issued a statement early this afternoon saying:

One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.

While the relatively small value of the hacker’s loot may have at first seemed like a silver lining, it has since come to light that whoever owned the compromised account also had “read-only access” to Mt. Gox’s database, which enabled the hacker(s) to pull information from older Bitcoin accounts, including email addresses and hashed passwords.

A discussion on Reddit found some readers saying that the hackers were able to take Gmail addresses and hashed passwords to brute-force users’ real passwords. Just as Reddit users recommend that anyone using the same passwords for Mt. Gox accounts, email addresses and so on, immediately change all passwords, Karpeles has also advised all Bitcoin users not to download any information (certificate or otherwise) sent from Mt. Gox until further notice.

Until the investigation concludes and security is confirmed, Karpeles said, Mt. Gox will remain offline. When it does in fact come back online, users will be put through “a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.”

Bitcoin has been the subject of quite a bit of controversy lately, as the U.S. Senate has been drafting anti-Bitcoin law, and there had been reports this week that hackers had begun targeting Bitcoin users’ virtual wallets with Malware and more, in an attempt to steal the virtual currency. However, an important thing to note for the anti-Bitcoiners is that the underlying peer-to-peer transaction clearing process does not seem to have been compromised — at least in this incident. Instead, the Mt. Gox crash appears to be the result of poor security (or using the same password for 8 different accounts) on the part of a single user.

Whether or not one believes that Bitcoin marks the future of currency, there appear to be a number of sites and blogs writing openly about the security holes in Bitcoin’s current system. Quora even has a string on this topic. That doesn’t bode well for confidence in the virtual currency market, at least in the short term. On the other hand, having its network security dissected by various sites and message boards across the Web, as well as market crashes like the one that happened today, will hopefully be used as fodder for building a better and more secure exchange.

And it’s worth mentioning, for how much both have been in the news of late, this does not appear to be a LulzSec Production, nor does Anonymous seem to have anything to do with it. In fact, some even want LulzSec to be the White Hats that hack-test a new, private security exchange for Bitcoin.

In the end, as Evans so astutely said, whether or not Bitcoin itself is a success, its existence is notable (and significant), as it may be the progenitor of future virtual exchanges that will collectively change the very face of currency as we know it. The Internet has a way of doing that. Until then, Bitcoin users should increase the level of security of their own accounts and passwords, and expect these kinds of crashes to happen again.

For those looking for an exhaustive explanation of what Bitcoin is and does, check out The Economist’s run-down here.

Or you can just turn to Tweets like this one:

Or this apt description from a commenter on Slashdot, which includes, “Bitcoin is a decentralised computer currency designed by self-righteous Ayn Rand-reading nerds who despise looters and parasites like, er, you. It is used to purchase Internet services, illegal drugs and pictures of naked women holding video cards”.