Topic: Mt. Gox hacked? - page 2. (Read 4881 times)

A simple email confirmation would be great.

I don't do a lot of withdrawals either - the whole point of the Yubikey is to make sure that no one can withdraw without it, regardless of the frequency.  Its usefulness is unrelated to how often you would use it.

I believe a Yubikey is necessary for me, as you never know when your machine has been compromised, it's probably not going to warn you, and the only way you'll know is when your funds disappear.  You don't even know that that's not what happened to you just now - you may assume that it was a pool operator, but there is no way you can know that for sure.

To me, saying a Yubikey isn't necessary would be like saying airbags aren't necessary, just wear your seatbelt, or that fire insurance isn't necessary, just never light fires.  It's a secondary protection with a meaningful benefit that hopefully you'll never need.  I agree it's not necessary if you don't mind losing what's in your account one day (esp. if you don't really have more than a few BTC), but if it's an amount you care about, and especially if you think you'll be using bitcoins for a long time... it should be a no brainer.

Ordering a Yubikey will not lock your account until you receive it and use it for the first time.  It comes already active and ready to use, there are no drivers, fully compatible with PC/Mac/Linux, computer thinks it is just a plain keyboard.  You just hit Enter at the MtGox Yubikey screen to bypass it if you haven't yet received it, and you stick it in your USB port and press a button and it types a one-time password.  Really simple.  And also a neat little gadget to carry around if you like to talk to people about Bitcoins.

Using unique and unrelated passwords are the golden rule of security. Some learn it in a hard way.There is no such thing as karma. For what I have done, I'm pretty fine. Probably the guy who did this just jizzed his pants and monitor.

I would agree that a Yukibey isn't necessary.  It would have protected me in this case, but just not doing stupid things like sharing passwords across accounts would have helped.  I don't do a lot of withdrawals, so using the Yubikey wouldn't be that much of an issue.  I'll probably pick one up.  $18 for a Yubikey could have saved me $700 of losses.

Hope the guy who did this encounters some nasty bad karma

I have accounts on almost every pool.   The first pool I got a notice of a wallet change was deepbit.  Then slush, btcguild, and bitclockers.

I am going through accounts right now to see what others were compromised

If all the actors play nice it will be fine < Yubikey

Yubikey would have protected your account.

Using the same password in multiple places is Your mistake. Probably Poll got hacked first. Or maybe dishonest pool operator took your bitcoins. Or maybe the password was sniffed from the pool because of lack or improperly implemented SSL. This is possible even if You system is 100% secure and malware free. Most windows computers today run by non-expert users are infected with one or another malware because of user error.

Lastpass is not 100% secure. Where is the guarantee that the lastpass does not keep all the passords provided? Better use KeePass software on Your computer to generate, store and backup the passwords.

Yubikey is overkill. If You computer and MtGox are safe, there is no need for one. If MtGox are hacked and database are accessed, the coins can be stolen anyway. I would love to have the key in my disposal just to play around with it, but I feel safe and know I'm safe without yubikey, because I take all precautions to keep all my coins safe on my computer and know how such things are done.

Do you carry more than one set of keys?  The YubiKey fits nicely on a keychain.

As a backup, you could always pop your Yubikey into a text editor and spit out a few one time passwords, print them, and carry them with you.  They can only be used sequentially, so the next time you really use your Yubikey, all of the prior ones will become void.  It kind of sucks to hand-key 30+ nonsense characters at once, but it's at least an option if you think you might be out in the boonies with nothing but a smartphone next time the price drops or something and you want to do some trading.

You could also e-mail yourself a large list of one-time passwords, and use them one by one via the clipboard.  Sure, that's somewhat less secure than using the physical key, but at least someone can't withdraw with them (withdrawal requires a one time password from a completely different secret key, which you get by holding the Yubikey button down for longer than 3 seconds)

I will say this though: the yubikey is going to save you from the vast majority of the attacks that are actually happening.

The Yubikey most certainly would have prevented this.

I hesitated to get a Yubikey, and then one day MtGox offered me a free one (probably since I made a rather large deposit).  Now that I have it, in retrospect, if I felt then how I feel about it now, I would have quickly paid for one.

Anyone know, can you have more than one YubiKey for the same account?

Tough luck, amazingrando! Would you care to reveal the pools you were using, so that other users of those pools can be on high alert, check their payout addresses, change their passwords, etc?

Amazingrando,

If you (or anyone else) need a Yubikey, I have a Mt. Gox code for a free Yubikey for sale for 6 BTC.

And never use the same password twice. Last pass is free. -> https://lastpass.com/

That was probably done intentionally to keep from raising red flags.  Had you noticed suspicious activity or discovered your pool account hacked I'm sure (I hope) you would have changed passwords on any related websites.  I'm very sorry that happened.  You really should get a YubiKey.

Sucks, that was a lot of money. 

I thought the same thing.  The only reason I thought it might be Mt. Gox being hacked (besides other people having the same issue) is that the first change to any of my accounts was at Mt. Gox.  Accessing my pool accounts came afterward.

amazingrando my friend! I am so sorry to hear that!

The person probably GOT your password from one of the pools you use. Most pools use mysql and they are really easy to do an injection attack and gain access - it's either that or a dishonest pool admin.

Either way those are far more likely to be true than MTGox being hacked.

IP address the hacker used:

196.200.102.6

I made two critical mistakes: 1) leaving btc in Mt Gox as opposed to my encrypted wallet, 2) being lazy about sharing passwords.

You are right, though, I should have had a Yubikey.  Mt. Gox really should have some form of two factor authentication beyond the yubikey.

A Yubikey may be worth all your bitcoins.  Get one and use it.  At least for withdrawals.