- It's not asking for the account password. Anyone who knows the usernames (and we can assume the attacker has a copy of the database) can submit a fake claim, and at the very least delay the real claim.
So for all intents and purposes bitcoinica doesn't have your password any more.
- If the attacker had access to the database, how does any of the information asked for demonstrate my real identity?
This is why you have to verify your email. It's critical now. And that's why they need your phone and real name now without exception. And transfers would have to match it. Tough luck, they cannot reasonably go about it any other way.
- It asks for real name and phone number. I never gave bitcoinica that information in the first place (that bit of paranoia has paid off). No advice is on the page for people in that position.
Well, they need it now. See above.
- EXACT balances are requested, but if you supply exact balances it rejects the request saying "give only two decimal places". It's not EXACT any more then is it?
- Rejecting EXACT balances of more than two decimal places is pretty bad; but no advice is given as to whether the two decimal places you supply should be rounded up or down from your exact balance. If I have 10.009 BTC is that "EXACT"ly 10.01 or 10.00?
Won't this be checked manually? just give your best guess man, and if you think it's accurate to the cent, choose "exact".
- Given that there was a complete database compromise -- exactly what is it that you're achieving with all this nonsense? Assuming you kept the passwords hashed, then the only bit of information that can be used to verify the owner that is possibly not compromised is the real owner's knowledge of the unhashed password.
If they really had them hashed, they don't have them unhashed anywhere. They better not, anyway.
In your case, you didn't give them your info (good idea) but you did keep a quantity of money there (bad idea). How can they tell you apart from a hacker who has the same password info as they have? they can't. All they can do is a best effort and proof of email ownership should be enough in many cases, together with the fact that a hacker won't try and give their real info to get money out of there using the claim procedure. The rest of the "nonsense" is not to tell you apart from one of the hackers, it's to tell you apart from some other person who might want your money, other than the hackers, using stolen identities.
- You send out a verification email, which has no information on it other than a URL to click. You have to click the link to see what the verification details were; but the verification page has no "approve" or "cancel" button. So if an attacker does submit a fake form, then they simply hope that the actual owner clicks the link. Given the dearth of information about the process from bitcoinica, and the lack of advice in the verification email (i.e. "don't click this link if you haven't started a claim") the user will assume that this email is the start of a claims process and will click the link; giving legitimacy to the fake claim.
This sounds like a reasonable concern.
- My email was verified when I registered the account -- what possible purpose is there in verifying it again?
See above. Email ownership is now critical. If you have a significant amount in your account, it's probably a good moment to change your email password from a properly secured computer, before filing up the claim.