MyBitcoin Username/Password Breach

MyBitcoin Logo/Homepage

MyBitcoin was a popular wallet service for new users of bitcoin. The exact origins and founding of the service are not fully known. A file containing usernames and passwords from the large Mt. Gox cryptocurrency exchange was accessed, and this allowed multiple breaches to occur of around 1% of the users on the MyBitcoin platform.

Ultimately, MyBitcoin sought to cover the losses for users.

About MyBitcoin

MyBitcoin was a wallet platform catering primarily to cryptocurrency newbies interested in buying bitcoin for the first time. The exact founding date of MyBitcoin is not fully known. One source reports that "MYBITCOIN has been in business since [the] middle of 2009"^[1], while domain name WHOIS reports that the domain first existed on April 25th, 2010^[2]. Actual content was first reported on the site by Internet Archive on February 11th, 2011^[3], although prior versions of the site may have loaded content if the user installed "CACert's security certificate"^[4].

This website showed the name MyBitcoin LLC^[5]^[3] while domain name WHOIS entries showed the mailing address to be a post office box in Nevis^[5]^[6], part of the Caribbean island nation of St. Kitts and Nevis^[7]. It is not known if this truly is an LLC and if so, where the organization was located^[5]. Domain name WHOIS and a later announcement on the website showed that the founder was someone named Tom Williams^[6]^[8].

MyBitcoin built its reputation by providing a free, user-friendly service targeted at newbie Bitcoin buyers. An excerpt from the first version of the website mentioned it as "[a]n intuitive web-interface for Bitcoin" with "[n]o software to download, install, or configure", with easy integration for merchants to send and receive funds in bitcoin^[3].

MyBitcoin sports an easy to use interface with large navigation buttons. It is suitable for those who are just trying Bitcoin out, or for those who want to use Bitcoin for commerce now, and without delay.
Downloading and installing the Bitcoin software isn't a requirement to trade with MyBitcoin. Of course, you can still use the Bitcoin software in conjunction with MyBitcoin. The choice is entirely yours!
Just like many other popular payment systems; you can easily generate and paste HTML code onto your website to accept Bitcoin payments! No more messy programming, or other headaches. You'll have your website accepting Bitcoin in minutes!
Price the goods and services on your website in any national currency, and have our SCI convert the prices into Bitcoins as each purchase is made.
You can have every single incoming payment forward to another Bitcoin address. Great for those who want to keep their coins on their desktop PC, or all in one place, but still want to use our shopping cart interface and merchant tools.
MyBitcoin is completely free. We are supported by selling small text ads that are in our login area. We are also planning on selling support packages in the near future.

Dozens of users flocked to the platform in its early days, and it reportedly had more deposits than the third largest exchange at the time, Bitomat.pl^[9]. One of the more prominent users was Bitcoin evangelist and host of The Bitcoin Show Bruce Wagner.^[10]^[9]

We have a lot of bitcoin there..... ( as has already been reported in the press )... Many -- perhaps most -- non-technical people... and businesses, I know and associate with,.... rely on MyBitcoin.com Most of my friends and family and associates.... all have all their bitcoin there too.

The Reality

It is unclear whether Tom Williams is the real name of the individual who founded MyBitcoin^[11]^[12] and some have argued he ran the entire service as a fraud.^[8]^[13]

05:10:57 < shockdiode> In Charlestown in St Kitts and Nevis?
05:11:10 < shockdiode> people use that country as a privacy cloak
05:11:44 < shockdiode> getting incorporated there pretty much gu[a]rantees your anonymity

The service was reportedly storing funds insecurely, with over half of the funds left in an online hot wallet^[8].

What Happened

An incident in Mt. Gox allowed a database of weakly hashed passwords to be compromised.

According to MagicalTux Mt. Gox's current protection scheme was to use and MD5 hash on passwords in its database, along with a salt. However, he did not specify whether a single salt was applied to all user passwords, multiple periodic salts, or whether user-specific unique salts were employed.

It is reported that all users with reused passwords between Mt. Gox and MyBitcoin had their bitcoin withdrawn and sent to the attacker's bitcoin address^[12]^[11].

Key Event Timeline - MyBitcoin Username/Password Breach
Date	Event	Description
June 13th, 2011 5:00 PM	Potential Breach	It is believed that the user account data breach may trace back to a June 13th incident where 478 accounts were robbed of 25,000 BTC^[14]^[15].
June 17th, 2011	Pastebin Leak	Hacked information from the Mt. Gox database was leaked on Pastebin "signed by ~cRazIeStinGeR~ and tied to auto36299386@hushmail.com"^[14].
June 20th, 2011 03:57:31 AM MST	First Transaction	Users with the same password on Mt. Gox and the MyBitcoin platform started to see their accounts breached. The very first transaction was for 28.21 BTC^[16].
June 20th, 2011 04:16:15 AM MST	Largest Transaction	The largest transaction in the set happens, for a whopping 2112.64714744 BTC^[17].
June 20th, 2011 04:54:10 AM MST	Last Transaction	The very last transaction as part of this exploit was for 0.24 BTC^[18].
July 29th, 2011, 3:41:36 PM MST	MyBitcoin Collapses	The MyBitcoin website is reported to be down on the BitcoinTalk forums, the last time the service was ever accessible^[6]^[19].

Total Amount Lost

The loss to all users affected were totaled to 4019.42939378 BTC based on the receive address^[20]^[12]^[11]. On BitcoinTalk, this was estimated to be worth $71,656 USD at the time^[12]^[11]. BuyBitcoinsWorldWide lists a price of $17.51 USD on June 20th, 2011, which would give a total loss of $70,380.21 USD^[21].

Immediate Reactions

The pseudonymous operator of MyBitcoin acknowledged the situation at the time. He elaborates that he was actively monitoring the situation during the attack and that the attacker used sophisticated methods to ensure that he could withdraw as much as possible^[22].

As many of you already know, Mtgox was hacked and its password file was leaked. As soon as we heard about the leak we were closely monitoring the system for abnormal activity, and we didn't see any.
At first glance, we didn't see any hard evidence that a password leak had even occurred. There was just a lot of speculation to an SQL injection vulnerability in Mtgox's site. A few clients of ours had informed us of the forum threads, and we watched them carefully.
The following morning a client of ours sent us the download link to the leaked Mtgox password file. We prompty downloaded the file, put up a warning on the main page, and disabled the login.
We attempted to line up usernames from the leak, and we found a lot of matching ones. We started locking down all of those accounts using a script that we had to have written at a moment's notice. It was during this time that we noticed a flurry of spends happening. Yes, even with the site disabled.
The attacker had active sessions open to the site. We quickly flushed them and the spends stopped abruptly. We disabled the SCI, all payment forwarding, and all receipt URL traffic on all of the usernames in the Mtgox leak.
We proceeded to change the password on every account where the username matched our system's database. PGP-signed emails went out to all of the accounts that we changed the password on. If an account didn't have an email address or had already been compromised we put up a bulletin. (Email addresses were mandatory when we opened our service initially, but people complained that it wasn't truly anonymous so we made them optional. Unfortunately this makes contacting a security-compromised customer impossible.)
An investigation was conducted at that time, and we determined that the attacker had opened up a session to each active user/password pair ahead of time, solved the captcha, and used some sort of bot to maintain a connection so our system wouldn't timeout on the session. It was likely his intent to gain access to more accounts than he did, but as soon as he noticed that we had changed the main page of the site he sprung into action by sending a flurry of spends. (Before you ask: no, we don't limit logins per IP address. We can't. We have a lot of users that come in from Tor and I2P that all appear to share the same source IP address.)
We've concluded that around 1% of the users on the leaked Mtgox password file had their Bitcoins stolen on MyBitcoin. It is unfortunate, and a horrible experience for the Bitcoin community in general.
The IP address that the attacker used was a Tor exit node and the spends were to an address that is outside of our system.

Ultimate Outcome

Affected users were reimbursed the total value of their losses on the MyBitcoin platform. While the MyBitcoin platform later collapsed^[19], those who withdrew their funds from the platform could have kept them.

Total Amount Recovered

All bitcoin lost were apparently reimbursed to users^[12]^[11], although the MyBitcoin platform would collapse within a few months.

Ongoing Developments

This case was largely settled at the time with MyBitcoin agreeing to reimburse users who had lost funds.

Individual Prevention Policies

This loss affected only those users who reused passwords across multiple exchange accounts. It could have been prevented if users avoided password reuse. Users can also better protect themselves by using passwords with higher entropy.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Databases can be better protected by ensuring that passwords are strongly hashed. A strong password hash includes a unique salt and a hashing protocol with higher entropy. This makes it significantly harder to brute force the passwords. Protocols can also force users to select stronger passwords when initially setting up their accounts.

Platforms can protect against the breach of user accounts by requiring a second factor of authentication. Other common characteristics to look for to detect an account breach would be access from a different IP address (particularly one in another region of the world, a VPN, or a Tor exit node), accessing multiple accounts from the same IP address, proceeding immediately to initiate a full withdrawal on the account, changing passwords, or a large and unexpected cluster of account logins at times they don't normally log in. When an account breach is suspected, delaying the withdrawal of cryptocurrencies is key to prevent loss, as it allows the real account owner time to secure their account.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

Prevention Policies

References

A section with the references where information came from.

↑ Full text of "MyBitCoin" - Archived FBI Report From August 17th, 2011 (Jan 30, 2023)
↑ e wallet - When was MyBitcoin created? - Bitcoin Stack Exchange (Jan 30, 2023)
↑ ^3.0 ^3.1 ^3.2 MyBitcoin - A simple web-based Bitcoin wallet (Original Site) - Internet Archive (Jan 30, 2023)
↑ MyBitcoin - A simple web-based Bitcoin wallet (CaCert Notice) - Internet Archive (Jan 30, 2023)
↑ ^5.0 ^5.1 ^5.2 MyBitcoin - Bitcoin Wiki (Apr 12, 2020)
↑ ^6.0 ^6.1 ^6.2 mybitcoin down or just me? - BitcoinTalk Forum (Jan 30, 2023)
↑ Nevis - Wikipedia (Jan 30, 2023)
↑ ^8.0 ^8.1 ^8.2 The biggest scams in Bitcoin history (Feb 15, 2020)
↑ ^9.0 ^9.1 MyBitcoin.com Is Back: A Week After Vanishing With at Least $250 K. Worth of BTC, Site Claims It Was Hacked - Observer (Jan 30, 2023)
↑ Bruce Wagner On Use of MyBitcoin - BitcoinTalk (Jan 30, 2023)
↑ ^11.0 ^11.1 ^11.2 ^11.3 ^11.4 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses [Old] (Jan 28, 2020)
↑ ^12.0 ^12.1 ^12.2 ^12.3 ^12.4 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses (Feb 15, 2020)
↑ Jine's Response - BitcoinTalk Forum (Jan 31, 2023)
↑ ^14.0 ^14.1 Mt. Gox Auditor Theft
↑ Inside the Mega-Hack of Bitcoin: the Full Story - DailyTech (Feb 2, 2023)
↑ First Bitcoin Withdrawal Transaction - Blockchain.com (Feb 1, 2023)
↑ Largest Exploit Transaction - Blockchain.com
↑ Last Blockchain Transaction - Blockchain.com
↑ ^19.0 ^19.1 MyBitcoin Incident Report - August 5th 2011 (Jan 31, 2023)
↑ Attacker's Bitcoin Wallet - Blockchain.com (Feb 1st, 2023)
↑ BuyBitcoinsWorldwide Historic Bitcoin Price Chart (Jan 30, 2023)
↑ Tom Williams on MyBitcoin account breaches (Feb 2, 2023)

[fbireport-1] Full text of "MyBitCoin" - Archived FBI Report From August 17th, 2011 (Jan 30, 2023)

[stackexchange-2] wallet - When was MyBitcoin created? - Bitcoin Stack Exchange (Jan 30, 2023)

[mybitcoinarchive-3] 3.0 ^3.1 ^3.2 MyBitcoin - A simple web-based Bitcoin wallet (Original Site) - Internet Archive (Jan 30, 2023)

[mybitcoincacert-4] MyBitcoin - A simple web-based Bitcoin wallet (CaCert Notice) - Internet Archive (Jan 30, 2023)

[bitcoinwiki-5] 5.0 ^5.1 ^5.2 MyBitcoin - Bitcoin Wiki (Apr 12, 2020)

[mybitcoindown-6] 6.0 ^6.1 ^6.2 mybitcoin down or just me? - BitcoinTalk Forum (Jan 30, 2023)

[wikipedianevis-7] Nevis - Wikipedia (Jan 30, 2023)

[99bitcoins-8] 8.0 ^8.1 ^8.2 The biggest scams in Bitcoin history (Feb 15, 2020)

[observer2-9] 9.0 ^9.1 MyBitcoin.com Is Back: A Week After Vanishing With at Least $250 K. Worth of BTC, Site Claims It Was Hacked - Observer (Jan 30, 2023)

[brucewagner-10] Bruce Wagner On Use of MyBitcoin - BitcoinTalk (Jan 30, 2023)

[bitcointalklistold-11] 11.0 ^11.1 ^11.2 ^11.3 ^11.4 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses [Old] (Jan 28, 2020)

[bitcointalklist-12] 12.0 ^12.1 ^12.2 ^12.3 ^12.4 List of Major Bitcoin Heists, Thefts, Hacks, Scams, and Losses (Feb 15, 2020)

[:0-13] Jine's Response - BitcoinTalk Forum (Jan 31, 2023)

[:1-14] 14.0 ^14.1 Mt. Gox Auditor Theft

[15] Inside the Mega-Hack of Bitcoin: the Full Story - DailyTech (Feb 2, 2023)

[16] First Bitcoin Withdrawal Transaction - Blockchain.com (Feb 1, 2023)

[17] Largest Exploit Transaction - Blockchain.com

[18] Last Blockchain Transaction - Blockchain.com

[mybitcoinincident-19] 19.0 ^19.1 MyBitcoin Incident Report - August 5th 2011 (Jan 31, 2023)

[20] Attacker's Bitcoin Wallet - Blockchain.com (Feb 1st, 2023)

[buybitcoinsworldwide-21] BuyBitcoinsWorldwide Historic Bitcoin Price Chart (Jan 30, 2023)

[22] Tom Williams on MyBitcoin account breaches (Feb 2, 2023)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

MyBitcoin Username/Password Breach

Contents

About MyBitcoin

The Reality

What Happened

Total Amount Lost

Immediate Reactions

Ultimate Outcome

Total Amount Recovered

Ongoing Developments

Individual Prevention Policies

Platform Prevention Policies

Regulatory Prevention Policies

Prevention Policies

References

Navigation menu

MyBitcoin Username/Password Breach

About MyBitcoin

The Reality

What Happened

Total Amount Lost

Immediate Reactions

Ultimate Outcome

Total Amount Recovered

Ongoing Developments

Individual Prevention Policies

Platform Prevention Policies

Regulatory Prevention Policies

Prevention Policies

References

Navigation menu

Search