Topic: If your Mt. Gox account has been compromised, PLEASE READ. - page 6. (Read 34602 times)

Hey hey…

I believe people at MTGOX are little stupid kids.

Do not change your password.

Just delete your damn MT GOX account and go find a more trustworthy site.

I've just downloaded that CSV file with all the informations, I can't believe it.

Mt GOX IS NOT SECURE.

Mt Gox is a fucking security hole and you'd better get out of there quick.

For instance, try Trade Hill.

Update: Mt. Gox was compromised, the database of users was released. I believe the thread here was removed, but many people will probably be able to verify it.

Change your passwords now.

^{I told you so}

My acc has been hacked and i lost 5 BTC the id and the pass don't match  no way i sure about my password. I use Avira and Zone Alarm latest so this  is't have any trojan or keylogger in my PC  . So i think mtgox steal my acc ?
my ticket # 1942 now i can't do anything with my account ( login , recover my pass i think someone changed it )

My account was locked today - not able to get in or recover password. Reading the forums, I was already hopeless. But finally mtgox support got back to me and reopened the account. I hear this is related to tracking stolen bitcoins.

So if you're in the same situation, not being able to log in (instead of malicious transactions), contact mtgox support.

Am I the only one who was unable to change passwords?

Change your Mt. Gox password. Twenty charters in best, with both uppercase and lowercase letters along with a few numbers. No words from the dictonary!

Same here. Ticket #1912. I can't log in, and password recovery says no email address is on file (but I believe I set one when I signed up).

I've been using a separate browser for mtgox, with no other pages open, ever since I heard about the CSRF exploit. I tried to change my password at that time too, but when I clicked "Change", the page flickered but nothing happened (on multiple browsers).

I can't login using my account. It was fine about an hour ago. My email has been changed as well so I can't get my password back.

My ticket: #1899

The first problem confuses me a little, mostly because these attacks had absolutely nothing to do with anyones wallet file.

The second is just a terrible suggestion and goes against the very basic principles of bitcoin and what it's supposed to be.

Safer banking solutions would be great and they will no doubt come when bitcoin grows bigger but for now just calm down a little and look at what actually happened. These attacks happened due to a site (mt. gox) having security flaws and the attacks only affected accounts at that site. They had nothing to do with how bitcoin works as a currency.

Well that Dollor is no less doomed then the Bitcoin.

http://forum.bitcoin.org/index.php?topic=19221.0

in short:
did not reuse password.
did not use email during registration, instead wrote down login/password to keepass.
brand new mtgox.com account.
funded it with 50.56 and after 3-4 hours unable to login to site.
it could not be hacked from email, since email was not used during registration.
no trojans found and computer was offline.
did not visit any websites in between so recent CSRF issue did not affect me.

Obviously this is the dawn of a new age of cypto currency but if they ever expect bitcoin to become mainstream and not just somebody's hobby shouldn't all these issues be addressed by the software programmers of bitcoin.  I mean do you really want to solve this problem?  Well its easy. Let me outline the steps:

1. The bitcoin software needs to encrypt the wallet file.  It read/writes to a wallet that always remains encrypted
2. If you really want bitcoin to go mainstream then it seems to me like incorporating a trading mechanism like mtgox directly into the software itself would seem wise.  That way you don't need to rely on an ewallet system which can be compromised every time you need to convert currency.

Till these two problems are solved how can anyone rely upon bitcoin as a reliable and secure means of currency?

~J

Any reports of problems with TradeHill, anyone?

The issue is not with Bitcoin. It is perfectly possible for someone to set up a Bitcoin bank, that has insurance against theft etc, just like "conventional" banks. The issue here lies with Mt. Gox, which is only a single independent exchange. Bitcoin itself (as an idea and protocol) is technically sound. The only thing I am missing is wallet encryption in the client by default, but that can be overcome for now by storing a wallet on a machine that is not connected to the internet, using third-party encryption software.

Bitcoin is much like digital cash, with the difference that you can encrypt a Bitcoin wallet, while you can't encrypt an IRL wallet.

Noshit it looks bad, it was enough to completely diminish my trust in the system, and i've been bitcoin enthusiast since december. Imagine how "attractive" this looks for someone who considers to invest. If this happened in december when i discovered bitcoin i'd certainly run far away from here.

We don't need "banking", there is no way to track funds to a person anyway (we can track the block explorer yes but that's it, it may be a thiefs account and it may be someone who pretends to be a victims 2nd wallet). What's needed is better security, until then i'm taking most of my bitcoin savings far away from bitcoin.

Bitcoin has had a lot of attention lately. Of course there will be attacks from every side. People who just want to earn a buck from it in less elegant ways, and people who want to see Bitcoin vanish off the earth.

How exactly would an XSS work in this case? I have never followed any links to Mt. Gox from external sites, and my account was broken into at a point where I couldn't even access Mt. Gox (probably due to the DDoS attacks).

The message from mtgox makes it sound like some type of XSS.

sht this looks bad. This is could diminish the trust on the system on the long run.

Maybe at this point we need security companies getting involved in bitcoins security and banking. A lot of people wouldn't mind paying extra, knowing that their account is not gonna get hacked, or somebody is gonna rob their computer and lose everything.

Also doesn't anybody think is suspicious that all this attacks are happening at the same time?.

qft

if they are a financial institution, they have to have fraud recovery efforts.  He is trying to be legit, maybe he will come around when he thinks that hey I should have spent the money on security, now i have to pay for the breach.

as Jondecker76 said
  "I have stepped forward on a few other posts - I also had money stolen from my MtGox account (20.19 BTC)
I even reported it to MtGox with no reply (this report was made before it was announced that there was a security exploit found).
It has recently been revealed that MtGox did in fact have a vulnerability, and someone even showed them the exploit by using it to prove it was there. There are also a dozen or so of us that have had this happen. Yet, the owner claimed that he can see no evidence in his logs that our money was lost due to the exploit, and that he is not going to refund anybody for the BTC stolen from his (insecure) site.
I for one will never use MtGox again.  Its one thing to make a mistake and have such a simple exploit left open it happens. Its another thing to not own up to your responsibilities as a responsible business owner. Look at the number of trades on his market, look at his fee and do the math.  Bottom line is that he makes very good money from his userbase, and should be trivial to do the right thing for a few handfuls of users that lost modest amounts of bitcoins.  I don't know if it can be proven one way or another whether or not the withdrawn funds were via an exploit or not - but honestly, look at the evidence"

having been a victim of this security flaw myself, I dont see why, considering the mass amount of cash mtgox is pulling in right now. they don't reimburse the people who, in say the 24 hour or 48 hour window this scam occurred, and reported a trouble ticket to them in that time (seems all happened on the 15th 16th) even if from their own funds for gods sake... up to say "x" amount, but whatever... I guess that's why I don't run a business.