Gmail unusual activity - page 2. | Bitcointalksearch.org

scooter

member

Activity: 100

Merit: 10

Quote from: Dansker on June 19, 2011, 05:44:41 PM

Just verified mine too...

I will never use mtgox again, any website that doesn't protect my email adress can go fuck itself.

You should stop using every website then.
The fact that nearly every website uses an email address username/password combination for authentication and the fact that nearly 3/4ths of all people use the same password for everything means that all it takes is for one website to get hacked and people have a way in to almost every other site you are part of.

No security is 100%, but the number of hacks that have happened in recent months is incredible.
We need to rethink the whole way we do authentication on the internet.

Funny thing is.. I was in the middle of writing an article on this topic when I got the news.

grod

full member

Activity: 154

Merit: 100

Siiigh. That gmail address of mine was one I use for 'serious' stuff having to do with money and registration on sites I actually care about (as opposed to all the freebie service ones, where I don't give a rat's behind if someone hijacks). It was not widely available in the spammer circles.

Now it's out there for spammers and scammers to do their thing to.

Luckily I don't re-use usernames, never mind passwords, so other email and other services shouldn't be horribly impacted.

Thanks mtgox! Seriously. And if you couldn't fix your code after all the reports of being compromised there's 0 chance you'll fix it in the future. Buhbye.

Mike Hearn

legendary

Activity: 1526

Merit: 1134

Yes, we should have a message for when password leaks occur specifically. I will add this to our todo list.

CharlieContent

full member

Activity: 210

Merit: 100

Quote from: Mike Hearn on June 19, 2011, 05:14:57 PM

Hi guys,

The reason your Google accounts have been required to change the password is that you appeared in a list of public MtGox accounts. We do understand that you may not have been sharing your passwords, unfortunately as they were leaked in hashed form it is hard to know which ones will be found to be sharing passwords and which won't - this will be found out by brute forcers over the next 24-48 hours.

Again, apologies for the inconvenience, we know that choosing new passwords is a pain. Requiring password rotations is not a decision we take lightly. However this is standard procedure for credentials leaks. It is to avoid accounts showing up in the black market for hacked passwords, as Gmail account access can be used to obtain access at other sites (PayPal, Facebook, etc).

thanks,

Mike
Google abuse/anti-hijack team

Thanks Mike! Really appreciate it. Maybe Google could set up a BitCoin exchange?

MagicalTux: You are an idiot son. You've gone from respected by the community to despised just because you're too stupid, or too lazy to secure your website. I sincerely hope Mt. Gox doesn't come back from this. It was so stupid to have so much trade centralised in a website that used to be for trading pieces of card to be used in a children's game.

Go back to trading Magic the Gathering Cards, you fucking amateur.

Dansker

hero member

Activity: 740

Merit: 500

Hello world!

Yeah, it's a bit misleading to say there had been suspicious activity with the accounts, since they have simply shown up on the list, and no log-in attempts may have been made what so ever.

Although It's much appreciated that google cares for the safety of their users so much. We need it, and you need it too.

imperi

full member

Activity: 196

Merit: 101

I thought someone was just entering random stuff into my Gmail, because both my Mtgox and Gmail are pretty strong. Guess not apparently.

EricJ2190

full member

Activity: 134

Merit: 102

I got it too, and I use a completely different (and stronger) password for Gmail than my password from MtGox. Gmail's logs show no access from unusual IPs, so I assume somebody was just trying to use my MtGox password on Gmail.

interfect

full member

Activity: 141

Merit: 100

Quote from: Mike Hearn on June 19, 2011, 05:14:57 PM

Hi guys,

The reason your Google accounts have been required to change the password is that you appeared in a list of public MtGox accounts. We do understand that you may not have been sharing your passwords, unfortunately as they were leaked in hashed form it is hard to know which ones will be found to be sharing passwords and which won't - this will be found out by brute forcers over the next 24-48 hours.

Again, apologies for the inconvenience, we know that choosing new passwords is a pain. Requiring password rotations is not a decision we take lightly. However this is standard procedure for credentials leaks. It is to avoid accounts showing up in the black market for hacked passwords, as Gmail account access can be used to obtain access at other sites (PayPal, Facebook, etc).

thanks,

Mike
Google abuse/anti-hijack team

Thanks!

It would be nice to get a better message than "unusual activity", though, seeing as how, in this instance, there was (presumably) no actual activity on the account that led to the lock. Maybe something like "A password for an account at associated with this e-mail address has been leaked. Your Google password has been invalidated to protect your account" or some such.

Dansker

hero member

Activity: 740

Merit: 500

Hello world!

Just verified mine too...

I will never use mtgox again, any website that doesn't protect my email adress can go fuck itself.

Litt

sr. member

Activity: 350

Merit: 250

Quote from: Mike Hearn on June 19, 2011, 05:14:57 PM

Hi guys,

The reason your Google accounts have been required to change the password is that you appeared in a list of public MtGox accounts. We do understand that you may not have been sharing your passwords, unfortunately as they were leaked in hashed form it is hard to know which ones will be found to be sharing passwords and which won't - this will be found out by brute forcers over the next 24-48 hours.

Again, apologies for the inconvenience, we know that choosing new passwords is a pain. Requiring password rotations is not a decision we take lightly. However this is standard procedure for credentials leaks. It is to avoid accounts showing up in the black market for hacked passwords, as Gmail account access can be used to obtain access at other sites (PayPal, Facebook, etc).

thanks,

Mike
Google abuse/anti-hijack team

Preemptive actions before things really get out of hand. Now that is a sound business practice right here.

Bunghole

member

Activity: 64

Merit: 10

I want to point out that my email account is NOT gmail yet was suspended shortly after the CSV file was published. So, that couldn't be due to the Google employee's help. Someone must be trying to brute-force their way into my account.

Quote

I'm in the CSV file and my email account now appears to be suspended. For privacy reasons, I don't want to name the email provider, but I will say that it is a smaller one that most have probably never heard of. I'm guessing that someone is trying to brute-force their way in - the email provider noticed it and suspended my account for now. But strangely, I can still log into my provider's website - just can't receive mail.

Slab Squathrust

full member

Activity: 169

Merit: 100

Still waiting on mine. I changed all passwords as a precaution just because. Its a shame that the email address is out there though. I'm looking forward to cheap viagra and other dick enhancement offers.

Bunghole

member

Activity: 64

Merit: 10

I'm in the CSV file and my email account now appears to be suspended. For privacy reasons, I don't want to name the email provider, but I will say that it is a smaller one that most have probably never heard of. I'm guessing that someone is trying to brute-force their way in - the email provider noticed it and suspended my account for now. But strangely, I can still log into my provider's website - just can't receive mail.

palmertech

newbie

Activity: 22

Merit: 0

I just got this notification, too, so I guess someone must be going through all the accounts that got leaked. Undecided

Had to do a phone verification, and I also got notification from eBay, to boot! Luckily, I use different passwords.

I think I am done with MtGox.

Herodes

hero member

Activity: 868

Merit: 1000

All passwords should be different and random. Use something like keepass to keep track of your passwords.

The reason you get the g-mail warning "Unusual acitivity detected" or something similar is because your e-mail is on the list on leaked e-mails from the mtGox db compromise. So If you have used the same password for mtGox and gmail for instance, this is used to protect the users so that in the event someone bruteforces the password hash in that leaked list, they will not have access to your gmail-account. Of course if you used the same password for both mtgox.com and gmail, you should stop doing something like that in the future.

The source of confusion is that google has only given a generic message, and not a specific one, perhaps this is just their policy, I don't know, but I think it would be better to give a more detailed explanation to keep people from getting worried.

Most likely your gmail account is not compromised at all.

justusranvier

legendary

Activity: 1400

Merit: 1013

Situations like this are why I'm glad all of my passwords are different and random.

TheSocialHermit

newbie

Activity: 42

Merit: 0

Yea same happened with my secondary gmail account. Mt Gox is in the shit now. I'm lucky I haven't done any business with them so I haven't lost anything other than trust in their systems.

rdonohoe

newbie

Activity: 37

Merit: 0

Quote from: Mike Hearn on June 19, 2011, 05:14:57 PM

Hi guys,

The reason your Google accounts have been required to change the password is that you appeared in a list of public MtGox accounts. We do understand that you may not have been sharing your passwords, unfortunately as they were leaked in hashed form it is hard to know which ones will be found to be sharing passwords and which won't - this will be found out by brute forcers over the next 24-48 hours.

Again, apologies for the inconvenience, we know that choosing new passwords is a pain. Requiring password rotations is not a decision we take lightly. However this is standard procedure for credentials leaks. It is to avoid accounts showing up in the black market for hacked passwords, as Gmail account access can be used to obtain access at other sites (PayPal, Facebook, etc).

thanks,

Mike
Google abuse/anti-hijack team

Thank you Google for your diligence.

tabshift

newbie

Activity: 23

Merit: 0

My respect for Google has only increased due to this quick response. Thank you!

Quote from: Mike Hearn on June 19, 2011, 05:14:57 PM

Hi guys,

The reason your Google accounts have been required to change the password is that you appeared in a list of public MtGox accounts. We do understand that you may not have been sharing your passwords, unfortunately as they were leaked in hashed form it is hard to know which ones will be found to be sharing passwords and which won't - this will be found out by brute forcers over the next 24-48 hours.

Again, apologies for the inconvenience, we know that choosing new passwords is a pain. Requiring password rotations is not a decision we take lightly. However this is standard procedure for credentials leaks. It is to avoid accounts showing up in the black market for hacked passwords, as Gmail account access can be used to obtain access at other sites (PayPal, Facebook, etc).

thanks,

Mike
Google abuse/anti-hijack team

Mike Hearn

legendary

Activity: 1526

Merit: 1134

Hi guys,

The reason your Google accounts have been required to change the password is that you appeared in a list of public MtGox accounts. We do understand that you may not have been sharing your passwords, unfortunately as they were leaked in hashed form it is hard to know which ones will be found to be sharing passwords and which won't - this will be found out by brute forcers over the next 24-48 hours.

Again, apologies for the inconvenience, we know that choosing new passwords is a pain. Requiring password rotations is not a decision we take lightly. However this is standard procedure for credentials leaks. It is to avoid accounts showing up in the black market for hacked passwords, as Gmail account access can be used to obtain access at other sites (PayPal, Facebook, etc).

thanks,

Mike
Google abuse/anti-hijack team

Topic: Gmail unusual activity - page 2. (Read 18366 times)