It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
But, the hacker made off with a bunch of unsalted, MD5-hashed passwords and user accounts… which leads to all other account using those same credentials.
It would be interesting to know where that auditor was stationed – whether inside the Mt.Gox company or external – and if they can tell whether the hacker who compromised the auditor’s computer was internal or external.
It’s been a bad weekend for Mt.Gox, which until now has been the most popular method for converting between Bitcoins and more conventional currencies. Earlier in the weekend, it was reported that the site was vulnerable to a cross-site request forgery in which a logged-in user could be tricked into submitting fraudulent transaction requests.