You want a told you so? If a website has 2FA of any kind, USE IT. PERIOD. DOUBLY SO IF IT IS A FINANCIAL WEBSITE LIKE GLBSE.
I have no clue why the fuck people think this is optional. I've asked nefario to mandate it to use GLBSE, but he gets all bitchy about it. Banks frequently do it (especially in Europe), so why not GLBSE? Just fucking do it.
You're bashing the wrong guy. Wait for when you learn something the hard way and then receive nothing but contempt. That's no way to tread someone who fell victim. The way I see it there are currently a few explanations: 1) hacked windows 2) leaked password hash (does anybody know which hash function GBLSE uses?) 3) Not enough entropy in the password 4) glitch in GLBSE (actually the exact match with 17:00:00 makes me worried, let's see what others have)
I see I've started to derail the thread. Obviously, my comments were meant to inform everyone of what happened and I should have expected a number of responses.
Sorry for that.
On the point of 2FA. Yes, it's a big deal and it's foolish not to use it. It's foolish just the same for a financial service to operate at less than secure mode as default and then not take a rigorous approach to inform users by explicit notification and links to any 3rd party OSS software required to establish a sufficient level of protection (and this is especially true in the case for Google 2FA as Google's primary use case is with the use of smart phones and can mislead uninitiated users). I'm just re-iterating what I said in my original post, so obviously this falls on deaf ears to some. I fault Mt. Gox and any other site that doesn't enforce 2FA. I use Yubikey. So, there.
In my case the problem is two fold. One, neither Nefario or I know exactly what happened. Though on the day of the compromise circumstances could have allowed a security vulnerability not limited by 2FA.
That's the Session Fixation vulnerability. Despite Nefario's refusal to take any responsibility for such a vulnerability it's an old, common vulnerability where security whitepapers have stated that the only effective countermeasure for Session Fixation is to design the Web application to use strict session controls that limit session id creation and tightly control their invalidation - or need for revalidation.
Edit: Some have jumped to the conclusion that this *IS* what happened. This is my best assumption. I typically log out and don't leave sensitive sites open.
I think I have a good idea what might have happened. My GLBSE session was still active after closing the browser tab. I spent some time on web freenode and was probed and compromised from that source.
Speculation, but it's the best thing I can come up with.
Use 2FA and don't have any other browser window open while using GLBSE. I am your example to learn from.