Bitcoin was attacked, compromised, and its database exposed today, costing users money as the virtual currency plummeted in value. It was valued as high as $30 USD per 1 Bitcoin earlier this month. The large sell off occurred at June 20th near 3:00am (JST). According to Mark Karpeles of MTGox, the trading market for BitCoin:
One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins. Apart from this no account was compromised, and nothing was lost. Due to the large impact this had on the Bitcoin market, we will rollback every trade which happened since the big sale, and ensure this account is secure before opening access again.
This tweet from AnonymousIRC tells a different story:
The list which we won’t publish here in interest of protecting the innocent, contains about 400 names and passwords in total.
The responsible parties could have come from anywhere but there is a suspicion of the user that behind the compromise.
The link points to the following information:
George Clooney could be anyone from anywhere but Lulsec, who has been taking donations in the form of BitCoins for their hacking, has been openly manipulating the market for over a week now.
How are they doing this? It is exploitation by SQL injection and Hash cracks.
In basic terms SQL Injection is an attack on vulnerable and poorly written code and is something that can be easily prevented. Unfortunately even large companies such as Sony have neglected to prevent themselves from being vulnerable. George Clooney and Lulzsec have also used hash cracks to infiltrate Bitcoin. A cryptographic hash function is where you take a chunk of data run it through a procedure and it returns a fixed size bit string. That is where they derived the name Bitcoin. By being able to crack the hash function they can manipulate the market and expose the users. The users were exposed and at least one account was compromised, possibly many more.
The solution may seem clear that they need to create a more secure way to handle the Bitcoin market. Right now they are working on plugging the security holes that have been exposed and trying to get the system back online. Bitcoin is expected to return to operations June 20th 11:00am (JST, 02:00am GMT). It remains to be seen how this breach will permanently damage the currency and how much faith will be retained by the consumers to allow Bitcoin to continue.