MyBitcoin Username/Password Breach

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
MyBitcoin

MyBitcoin was a popular wallet service for new users of bitcoin. The exact origins and founding of the service are not fully known. A file containing usernames and passwords from the large Mt. Gox cryptocurrency exchange was accessed, and this allowed multiple breaches to occur of around 1% of the users on the MyBitcoin platform.

Ultimately, MyBitcoin sought to cover the losses for users.

About MyBitcoin

MyBitcoin was a wallet platform catering primarily to cryptocurrency newbies interested in buying bitcoin for the first time. The exact founding date of MyBitcoin is not fully known. One source reports that "MYBITCOIN has been in business since [the] middle of 2009"[1], while domain name WHOIS reports that the domain first existed on April 25th, 2010[2]. Actual content was first reported on the site by Internet Archive on February 11th, 2011[3], although prior versions of the site may have loaded content if the user installed "CACert's security certificate"[4].

This website showed the name MyBitcoin LLC[5][3] while domain name WHOIS entries showed the mailing address to be a post office box in Nevis[5][6], part of the Caribbean island nation of St. Kitts and Nevis[7]. It is not known if this truly is an LLC and if so, where the organization was located[5]. Domain name WHOIS and a later announcement on the website showed that the founder was someone named Tom Williams[6][8].

MyBitcoin built its reputation by providing a free, user-friendly service targeted at newbie Bitcoin buyers. An excerpt from the first version of the website mentioned it as "[a]n intuitive web-interface for Bitcoin" with "[n]o software to download, install, or configure", with easy integration for merchants to send and receive funds in bitcoin[3].

MyBitcoin sports an easy to use interface with large navigation buttons. It is suitable for those who are just trying Bitcoin out, or for those who want to use Bitcoin for commerce now, and without delay.

Downloading and installing the Bitcoin software isn't a requirement to trade with MyBitcoin. Of course, you can still use the Bitcoin software in conjunction with MyBitcoin. The choice is entirely yours!

Just like many other popular payment systems; you can easily generate and paste HTML code onto your website to accept Bitcoin payments! No more messy programming, or other headaches. You'll have your website accepting Bitcoin in minutes!

Price the goods and services on your website in any national currency, and have our SCI convert the prices into Bitcoins as each purchase is made.

You can have every single incoming payment forward to another Bitcoin address. Great for those who want to keep their coins on their desktop PC, or all in one place, but still want to use our shopping cart interface and merchant tools.

MyBitcoin is completely free. We are supported by selling small text ads that are in our login area. We are also planning on selling support packages in the near future.

Dozens of users flocked to the platform in its early days, and it reportedly had more deposits than the third largest exchange at the time, Bitomat.pl[9]. One of the more prominent users was Bitcoin evangelist and host of The Bitcoin Show Bruce Wagner.[10][9]

We have a lot of bitcoin there..... ( as has already been reported in the press )...    Many -- perhaps most -- non-technical people... and businesses, I know and associate with,....  rely on MyBitcoin.com      Most of my friends and family and associates.... all have all their bitcoin there too.

The Reality

It is unclear whether Tom Williams is the real name of the individual who founded MyBitcoin[11][12] and some have argued he ran the entire service as a fraud.[13][14]

05:10:57 < shockdiode> In Charlestown in St Kitts and Nevis?

05:11:10 < shockdiode> people use that country as a privacy cloak

05:11:44 < shockdiode> getting incorporated there pretty much gurantees your anonymity

The service was reportedly storing funds insecurely, with over half of the funds left in an online hot wallet[13].

What Happened

It is reported that all users with reused passwords between Mt. Gox and MyBitcoin had their bitcoin withdrawn and sent to the attacker's bitcoin address[15][16].

Key Event Timeline - MyBitcoin Username/Password Breach
Date Event Description
June 20th, 2011 03:57:31 AM MST First Transaction Users with the same password on Mt. Gox and the MyBitcoin platform started to see their accounts breached. The very first transaction was for 28.21 BTC[17].
June 20th, 2011 04:16:15 AM MST Largest Transaction The largest transaction in the set happens, for a whopping 2112.64714744 BTC[18].
June 20th, 2011

04:54:10 AM MST

Last Transaction The very last transaction as part of this exploit was for 0.24 BTC[19].
July 29th, 2011, 3:41:36 PM MST MyBitcoin Collapses The MyBitcoin website is reported to be down on the BitcoinTalk forums, the last time the service was ever accessible[6][20].

Total Amount Lost

The loss to all users affected were totaled to 4019.42939378 BTC based on the receive address[21][15][16]. On BitcoinTalk, this was estimated to be worth roughly $72k USD at the time[15][16]. BuyBitcoinsWorldWide lists a price of $17.51 USD on June 20th, 2011, which would give a total loss of $70,380.21 USD[22].

Immediate Reactions

The pseudonymous operator of MyBitcoin acknowledged at the time:

“We’ve concluded that around 1% of the users on the leaked Mt[G]ox password file had their Bitcoins stolen on MyBitcoin.”

Ultimate Outcome

Affected users were reimbursed the total value of their losses on the MyBitcoin platform. While the MyBitcoin platform later collapsed[20], those who withdrew their funds from the platform could have kept them.

Total Amount Recovered

All 4,019 BTC (worth $72k USD at the time) were ultimately reimbursed to users[15][16].

Ongoing Developments

This case was largely settled at the time with MyBitcoin agreeing to reimburse users who had lost funds.

Prevention Policies

This loss affected only those users who reused passwords across multiple exchange accounts. It could have been prevented if users avoided password reuse.

Platforms can protect against the breach of user accounts by requiring a second factor of authentication. Other common characteristics to look for to detect an account breach would be access from a different IP address (particularly one in another region of the world, a VPN, or a Tor exit node), accessing multiple accounts from the same IP address, proceeding immediately to initiate a full withdrawal on the account, changing passwords, or a large and unexpected cluster of account logins at times they don't normally log in. When an account breach is suspected, delaying the withdrawal of cryptocurrencies is key to prevent loss, as it allows the real account owner time to secure their account.

References

A section with the references where information came from.

  1. Full text of "MyBitCoin" - Archived FBI Report From August 17th, 2011 (Jan 30, 2023)
  2. e wallet - When was MyBitcoin created? - Bitcoin Stack Exchange (Jan 30, 2023)
  3. 3.0 3.1 3.2 MyBitcoin - A simple web-based Bitcoin wallet (Original Site) - Internet Archive (Jan 30, 2023)
  4. MyBitcoin - A simple web-based Bitcoin wallet (CaCert Notice) - Internet Archive (Jan 30, 2023)
  5. 5.0 5.1 5.2 MyBitcoin - Bitcoin Wiki (Apr 12, 2020)
  6. 6.0 6.1 6.2 mybitcoin down or just me? - BitcoinTalk Forum (Jan 30, 2023)
  7. Nevis - Wikipedia (Jan 30, 2023)
  8. The biggest scams in Bitcoin history (Feb 15, 2020)
  9. 9.0 9.1 MyBitcoin.com Is Back: A Week After Vanishing With at Least $250 K. Worth of BTC, Site Claims It Was Hacked | Observer (Jan 30, 2023)
  10. Bruce Wagner On Use of MyBitcoin - BitcoinTalk (Jan 30, 2023)
  11. List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses [Old] (Jan 28, 2020)
  12. List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses (Feb 15, 2020)
  13. 13.0 13.1 The biggest scams in Bitcoin history (Feb 15, 2020)
  14. Jine's Response - BitcoinTalk Forum (Jan 31, 2023)
  15. 15.0 15.1 15.2 15.3 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses (Feb 15, 2020)
  16. 16.0 16.1 16.2 16.3 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses [Old] (Jan 28, 2020)
  17. First Bitcoin Withdrawal Transaction - Blockchain.com (Feb 1, 2023)
  18. Largest Exploit Transaction - Blockchain.com
  19. Last Blockchain Transaction - Blockchain.com
  20. 20.0 20.1 MyBitcoin Incident Report - August 5th 2011 (Jan 31, 2023)
  21. Attacker's Bitcoin Wallet - Blockchain.com (Feb 1st, 2023)
  22. BuyBitcoinsWorldwide Historic Bitcoin Price Chart (Jan 30, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=MyBitcoin_Username/Password_Breach&oldid=1744"