Am I the only one finding your excuse for not refunding victims here a little disingenuous?
The 'htemp' hack has been documented by many people, and the root cause was a clear defect in your security model. But you won't own up to the failure because somebody might pretend to be hacked? You have a clear trail for anyone who had funds transferred to the 'htemp' account.
I don't see how you can justify not compensating victims in this case. Considering the huge fees you are collecting on trades you should take a day's income and make your mistake right for the victims. If you want to require 2FA for compensation in the future, that is a different matter.
The issue was not from a cross-site post, but from a list of user/passwords that were used by an abuser.
There was a cross-site vulnerability which has now been fixed. (
https://bitcointalksearch.org/topic/m.2685210)
The users effected by 'htemp' and 2 other user accounts had their accounts directly accessed by a 3rd party on first attempt who were testing a user/pass list which looks to be stolen from another site.
There was only 2 reported incidents of any account hacking via cross-site scripting, which were indeed credited.
Since the 2-factor requirement for transfers have been in place, there have been no further reports of abuse.
I suggest using a different e-mail/password combination on different bitcoin based sites out there, as you never know who else out there get's hacked and they never tell you.
Our system logged a botnet of over 5,000 account attempts one after another. The majority of the matching ones had 2-factor enabled which stopped their account loss.
Those known users were already contacted weeks ago to let them know of the situation and their vulnerability and that the should change that password combination on other sites.
-Ukyo
