Author

Topic: Mt. Gox: If your coins were stolen, please write here (Read 22296 times)

legendary
Activity: 1190
Merit: 1000
www.bitcointrading.com
I suspect my account was compromised or I am just paranoid.

I have an account at MtGox and visit this account very frequently (3-5 times a day) to check my number in a verification queue.

I went to Mtgox website 40 minutes ago, typed my Username and Password, and a red small window told me my password was incorrect and if I forgot it I could type in my e-mail address to recover it or to get a new one. I thought I just simply made a typo in my password. I repeated the action 2 times more and the red window kept on popping up and telling me ''incorrect password''.

I shut down my computer and my modem. Then I restarted the computer and the modem, went to MtGox's website entered the Username and the Password and could log in without any problems.

I searched the website, while logged in, for ''you were logged in on ...(date and time)...'' information to check if someone else was logged in using my Username and Password, and I couldn't find such an information.

Could someone tell me:
a) if I should consider it a problem not having being able to log in three times using the correct Username and Password (there is of course an unlikely possibility I typped in a wrong password);
b) is there a log in history for an account at MtGox's website available to account holders?

Thanks.

Omg so it's true.  There are people dialing up modems to get bitcoins. 

Congrats on the epic 2 year old thread bump.  Good read.
sr. member
Activity: 378
Merit: 250
Born to chew bubble gum and kick ass
I suspect my account was compromised or I am just paranoid.

I have an account at MtGox and visit this account very frequently (3-5 times a day) to check my number in a verification queue.

I went to Mtgox website 40 minutes ago, typed my Username and Password, and a red small window told me my password was incorrect and if I forgot it I could type in my e-mail address to recover it or to get a new one. I thought I just simply made a typo in my password. I repeated the action 2 times more and the red window kept on popping up and telling me ''incorrect password''.

I shut down my computer and my modem. Then I restarted the computer and the modem, went to MtGox's website entered the Username and the Password and could log in without any problems.

I searched the website, while logged in, for ''you were logged in on ...(date and time)...'' information to check if someone else was logged in using my Username and Password, and I couldn't find such an information.

Could someone tell me:
a) if I should consider it a problem not having being able to log in three times using the correct Username and Password (there is of course an unlikely possibility I typped in a wrong password);
b) is there a log in history for an account at MtGox's website available to account holders?

Thanks.
member
Activity: 80
Merit: 10
Whats the story with the claims? I claimed about an hour after you started and nothing yet, but there was already threads on the other board of people having gotten their accounts back?
how about prioritizing  the folk who have half a years wages in your site, rather than randomly sorting out people with 20$ in there for the laugh?

You sir, need to be smarter.
full member
Activity: 237
Merit: 100
Whats the story with the claims? I claimed about an hour after you started and nothing yet, but there was already threads on the other board of people having gotten their accounts back?
how about prioritizing  the folk who have half a years wages in your site, rather than randomly sorting out people with 20$ in there for the laugh?
sr. member
Activity: 294
Merit: 250
So Magical Tux,
Are you ever going to answer,  what are MtGox's plans for those of us who got bitcoins stolen in the days preceding the sell off?  You know, those if us that have been telling you since before the compromise was made public.  It should be easy to validate our claims by comparing ip address history,  as I have only logged in to your site from home, work and my phone (verizon)

You know their answer very well - correct login/pass, so they are not responce for this, It`s a very sad story... Cry Cry Cry


Kindda like that now since they said the hacker used correct username/password. But they can match all the IP address with yours and take it from there. Not an easy thing to do but doable.

PROS AND CONS guys. We all know that this is risky in the first place. Let's just all wait for Mt. Gox to sort their service out first. I, too lost some coins and $$$ but I understand what's happening right now at Mt. Gox so I'm waiting for them to finish putting the site up and then will contact them.


Want the benefits (rather high transaction fees), then also take the risks (system getting compromised and having to refund people and/or hire extra staff).
He has been massively profiting off all transactions, then he will also have to bear things like this in a proper manner. This is a for-profit exchange, and the same rules go for that as for every other company.
member
Activity: 77
Merit: 10
A Colt Crossed the River
    Now requesting to recover your Mt.Gox account has been started.
    But since my account has been stolen 5 hours before the "big compromised account incident", now I even cannot request to recover my MtGox account.

I know mtgox has some urgent affairs to handle right now. But it should also set up a way for the users like me to request for recovering the account.

I have post a request to report my stolen account before the the "big compromised account incident". Now 3 days passed, no answer no email. This request is set to Urgent Priority but no one has even given me a reply.

We pay transaction fees to mtgox, I think we deserved to have an account recovery service. But now the fact is that someone entered my account, changed my email address, changed my passwd. And I even do not know whether the fund or the btc is still in my account or not.

When mtgox website open again, I still cannot login to my account. If the price rises, I cannot sell. If the price drops, I cannot buy. I think this is also another lost brought by mtgox.

Do not forget the users just like me.
At least offer a way to handle this problem.
I can provide the proof the I am actually the owner of this account.
member
Activity: 108
Merit: 10
So Magical Tux,
Are you ever going to answer,  what are MtGox's plans for those of us who got bitcoins stolen in the days preceding the sell off?  You know, those if us that have been telling you since before the compromise was made public.  It should be easy to validate our claims by comparing ip address history,  as I have only logged in to your site from home, work and my phone (verizon)

You know their answer very well - correct login/pass, so they are not responce for this, It`s a very sad story... Cry Cry Cry


Kindda like that now since they said the hacker used correct username/password. But they can match all the IP address with yours and take it from there. Not an easy thing to do but doable.

PROS AND CONS guys. We all know that this is risky in the first place. Let's just all wait for Mt. Gox to sort their service out first. I, too lost some coins and $$$ but I understand what's happening right now at Mt. Gox so I'm waiting for them to finish putting the site up and then will contact them.

legendary
Activity: 2026
Merit: 1005
So Magical Tux,
Are you ever going to answer,  what are MtGox's plans for those of us who got bitcoins stolen in the days preceding the sell off?  You know, those if us that have been telling you since before the compromise was made public.  It should be easy to validate our claims by comparing ip address history,  as I have only logged in to your site from home, work and my phone (verizon)

You know their answer very well - correct login/pass, so they are not responce for this, It`s a very sad story... Cry Cry Cry
full member
Activity: 238
Merit: 100
So Magical Tux,
Are you ever going to answer,  what are MtGox's plans for those of us who got bitcoins stolen in the days preceding the sell off?  You know, those if us that have been telling you since before the compromise was made public.  It should be easy to validate our claims by comparing ip address history,  as I have only logged in to your site from home, work and my phone (verizon)
member
Activity: 77
Merit: 10
A Colt Crossed the River
I also got hacked.

I cannot access my mtgox account June 19th at around 13:00 o'clock (GMT) BEFORE the big incident occurred.

Someone changed my account password and changed the email, so I even cannot recover my password.

I don't know whether the fund (over 200 LR) or BTC (20BTC) are stolen since I cannot access it for about 20 hours.

I have submitted a request at https://support.mtgox.com, it has been marked as "Urgent", but got no reply yet.

Hope you can figure the problem soon.

My account is:
snoleo
Email:
[email protected]

I use a very strong password which is only used for mtgox.
member
Activity: 108
Merit: 10
Let's all make no mistake about this. ALL accounts in Mt. Gox are affected. Even Tradehill and deepbit already made a universal password change on their side just to make sure this doesn't become much worse.

Let's give Mt. Gox some time to resolve this critical issue. For now, I suggest at least CHANGE ALL YOUR PASSWORDS on accounts related to bitcoin - I mean ALL OF THEM.

If possible change your email account, too. Might as well register a new email account which I already did.



P.S.

This will definitely bring the difficulty down to at least 50%.

hero member
Activity: 860
Merit: 1004
BTC OG and designer of the BitcoinMarket.com logo
OMG when did this happen  Huh
no wonder my gmail account got locked  Embarrassed
and how can i find if my coins and lr have been stolen from my account?
legendary
Activity: 2026
Merit: 1005
mtgox.com - epic fail  - one by one...hug and cry
 Smiley

You can keep my stolen 13.4BTC for doing reliable protection...

PS It was a joke... Cheesy
full member
Activity: 238
Merit: 100
Magical Tux:

Now that you guys finally admit that you were indeed compromised and usernames/passwords (hashed) were stolen, are you going to refund us customers that had our BTC stolen? (20.19 in my case). I (and others that had BTC stolen while in your care) are angry and frustrated the way this whole thing was denied and handled.  Over the past days, I have seen honest bitcoin users and supporters (of which I am both) accused of lieing, not having secure enough passwords, and of being hacked themselves -- and everything in between.  Are you guys going to own up, do the right thing, and refund us?
(and I will point out again, that I originally reported my stollen BTC to you before any mention of the vulnerabilities and comprimises - without any reply back at all (though, i know you must be busy at the moment, but still))

Quote
UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS

We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible.
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

legendary
Activity: 2026
Merit: 1005
No, they logged in on users account using the correct login and password. We have logs showing the loggin succeed on first try.

Oh, that's good news. Thanks for keeping your site secure and staying on top of everything.
You are not alone, I`m with you too... Grin Grin Grin
The same case - correct login/password...
No exchange responsibility - no 13.4BTC

Such a nice mtgox.com exchange  Grin Grin Grin


PS
MagicalTux

Well Mark,
I`d like to know from which IP was made 13.4BTC transaction to fraudster wallet...
Is this a open information for me?
sr. member
Activity: 294
Merit: 250
The coins stolen from Mt.Gox were not stolen using any CSRF exploit.

So they were stolen from Mt.Gox using another exploit...?

No, they logged in on users account using the correct login and password. We have logs showing the loggin succeed on first try.
Then I suppose you have the IP address of the person who logged in to the accounts?

Also, I have not yet received a response to my tickets #957/#1797, nor to the PM I sent you on this forum.
newbie
Activity: 11
Merit: 0
No, they logged in on users account using the correct login and password. We have logs showing the loggin succeed on first try.

Oh, that's good news. Thanks for keeping your site secure and staying on top of everything.
vip
Activity: 608
Merit: 501
-
The coins stolen from Mt.Gox were not stolen using any CSRF exploit.

So they were stolen from Mt.Gox using another exploit...?

No, they logged in on users account using the correct login and password. We have logs showing the loggin succeed on first try.
newbie
Activity: 11
Merit: 0
The coins stolen from Mt.Gox were not stolen using any CSRF exploit.

So they were stolen from Mt.Gox using another exploit...?
vip
Activity: 608
Merit: 501
-
Quote
So the owner of the site says no coins lost, and customer support says your coins are lost Huh?Whom do I believe ??

I wouldn't worry about this at all. Mark Karpeles and MagicalTux often contradict themselves. For example, Mark has just confirmed to us that a few accounts were hacked into. However, MagicalTux reassured us yesterday that the CSRF exploits "were never used," even though there was an obvious corresponding increase in reports of coins being stolen via Mt. Gox.

The coins stolen from Mt.Gox were not stolen using any CSRF exploit.
member
Activity: 82
Merit: 10
Account was reinstated turns out one of my players in Triple Trouble, sent money from the 25k stolen coins....

So did you get to keep your coins? Or were they repossessed by Mt. Gox?
only 0.16 were fraudulent
newbie
Activity: 11
Merit: 0
Account was reinstated turns out one of my players in Triple Trouble, sent money from the 25k stolen coins....

So did you get to keep your coins? Or were they repossessed by Mt. Gox?
member
Activity: 82
Merit: 10
Account was reinstated turns out one of my players in Triple Trouble, sent money from the 25k stolen coins....
newbie
Activity: 11
Merit: 0
Quote
So the owner of the site says no coins lost, and customer support says your coins are lost Huh?Whom do I believe ??

I wouldn't worry about this at all. Mark Karpeles and MagicalTux often contradict themselves. For example, Mark has just confirmed to us that a few accounts were hacked into. However, MagicalTux reassured us yesterday that the CSRF exploits "were never used," even though there was an obvious corresponding increase in reports of coins being stolen via Mt. Gox.
member
Activity: 82
Merit: 10
Ok so:

#1407: Confirmed hacked on june 16th, investigation in progress
#1836: Investigation in progress, no lost coins
#1862: Investigation in progress, no lost coins

please tell me was my password changed Huh or what


EDIT: Just received this email :  Huh

Mark Karpeles, Jun-19 10:25 (JST):

Hi,

We have confirmed the bitcoins you have added to your account were stolen, and your account has been automatically blocked.

Could you tell me where you got those bitcoins from?

Thanks,
Mark
MtGox.com Team.

So the owner of the site says no coins lost, and customer support says your coins are lost Huh?Whom do I believe ??
vip
Activity: 608
Merit: 501
-
Ok so:

#1407: Confirmed hacked on june 16th, investigation in progress
#1836: Investigation in progress, no lost coins
#1862: Investigation in progress, no lost coins
member
Activity: 82
Merit: 10
I think my account might have been compromised. I successfully logged into my account at least 3 times today. I added some bitcoins. Then when I attempted to login to trade those bitcoins, I was unable to login. Also when I went to recover/reset my password it said that there was no email account attached to my account when I know there is. I don't know if money has been stolen yet but it seems likely that my account was compromised. My ticket is #1836

This is what happened to me exactly, please tell me what did mt.gox tell you... I sent an email to them but didnt get a case number..
legendary
Activity: 1428
Merit: 1000
https://www.bitworks.io
I think some of you guys are starting to make up stories now..... Mt. Gox is not going to give you any funds back so if your pretending you were hacked to get some BTC forget about it. Mt. Gox is only going to help you track where the funds get moved to.

It's hard to tell either way however you are right that I wouldn't expect Mt. Gox to give them back. With teh volume of users and trading if .001% of people had an issue I expect we would see more then the posts we have seen thus far. There is enough money going around for people to focus effort on exploting accounts.

With that said they are providing a financial service and although not regulated I expect there will be a lawsuit sometime soon because for the type of service offered it's fairly obvious adequate authentication is not enforced and yes there is some precedent for that.
REF
hero member
Activity: 529
Merit: 500
I think some of you guys are starting to make up stories now..... Mt. Gox is not going to give you any funds back so if your pretending you were hacked to get some BTC forget about it. Mt. Gox is only going to help you track where the funds get moved to.
member
Activity: 82
Merit: 10
Avira just finished scanning my pc, nothing was found...also I only use this password for mtgox....
member
Activity: 82
Merit: 10
I dont keep money in my Mt.gox account, but an hour ago i wanted to exchange some btc and i sent in 7 to my mtgox account..
Now I came back to my pc and I cant access my account try to reset password says no email in account file..... wtf
I am sure i regg'ed using an email............Please help me asap 7 coins is like 15 days mining to me

my ticket #1862
sr. member
Activity: 294
Merit: 250
Again, two factor auth using email would be incredibly easy to implement, and a huge improvement in security - mostly because you can't get around that by having database access through a vulnerability.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
What would be nice is if we could optionally restrict the account with a PGP key, so that functions like withdrawals (or at least setting the withdrawal address) had to be signed.
newbie
Activity: 14
Merit: 0
All my coins were stolen, I immediately filed a ticket (two days ago) and was assigned #1407.  I would appreciate a reply.
newbie
Activity: 28
Merit: 0
I think my account might have been compromised. I successfully logged into my account at least 3 times today. I added some bitcoins. Then when I attempted to login to trade those bitcoins, I was unable to login. Also when I went to recover/reset my password it said that there was no email account attached to my account when I know there is. I don't know if money has been stolen yet but it seems likely that my account was compromised. My ticket is #1836
sr. member
Activity: 371
Merit: 250
As said davout, the password most be encrypt it using bcrypt, hash dont do a good job in password area.

http://codahale.com/how-to-safely-store-a-password/

If I knew a site was using encryption, I wouldn't use it.

Why use something reversible by the owners/anyone who gets access to the server... (Since if they have DB, they probably now have the key).
newbie
Activity: 55
Merit: 0
As said davout, the password most be encrypt it using bcrypt, hash dont do a good job in password area.

http://codahale.com/how-to-safely-store-a-password/
newbie
Activity: 33
Merit: 0
MagicalTux,

I'm getting the "Too many failure from your IP, temporarly blocked" error when I try to login to the site. I've reset my router, and have successfully logged in, then immediately to a few minutes later, I get logged out. After trying to login again, I receive the above error message. I don't have a keylogger on my system (running OS X), and I even open the Mt. Gox site in a new browser, to prevent any CSRF exploit. My password is over 25 characters long, including symbols + numbers, and isn't a dictionary word or contain dictionary words.

What can I do to use my account as usual? I can PM you my username if it'll help.

Thanks.
sr. member
Activity: 371
Merit: 250
Noitev, why use weaker security when better security is available? As mentioned before, if someone was to rent out power from Amazon ECC... :?
hero member
Activity: 812
Merit: 505
The Last NXT Founder
That's what salt is for! Roll Eyes

Just read it up on Wikipedia...

Uhm, I think you need to read up on it. Salting helps defend against table lookups but does not strongly protect against brute force.



if you put enough salt in a md5, itll take thousands of years until you can crack it, ive tried
sr. member
Activity: 371
Merit: 250
The fact that it uses MD5 is an issue.

It should definitely have been set up using SHA256/SHA512, and at least a per user salt(You haven't clarified as to whether it's the same for all, unless I've misread something). Or even double SHA512 two-unique-salts halved.

Sad
Where was MD5 mentioned?

It must be in the thread ocnfirming the existence of the CSRF vulnerability.
full member
Activity: 238
Merit: 100
I had 20 BTC stolen from my account, I didn't find out until 2 days later.

Here, I added 20 BTC to do some trading:
Quote
06/13/11 09:34   Add BTC   1AbvTGGyKKQDezsnaYDAhJDNPkZYv7aM9z   20   0   20.199   0.059

Within a single day, it had been transferred out (unknown to me)
Quote
06/14/11 15:45   Withdraw BTC   17RT6Ne994VjC762wh7TpXRdrZRMbhJSUC    -20.19   0   0.009   0.059

I sent an email from your website reporting the problem, here is the automated reply:
Quote
## Please do not write below this line ##
Ticket #1605: I was hacked

Your request (#1605) has been received, and will be reviewed by our support staff.

Our help desk is experiencing unusually high traffic currently. We regret to inform you that you will experience some delays (currently 48-72 hrs) in us getting back to you.

We sincerely apologize for the inconvenience and are working on all fronts to improve our response times.

To review the status of the request and add additional comments, follow the link below:
http://support.mtgox.com/tickets/1605


Jondecker76, Jun-17 22:02 (JST):

I've seen it a lot on the forums as well and never thought it could happen to me, but today I logged in to my account to find that my balance of 20 BTC is gone.

here is a the copy and paste from my account history:
06/14/11 15:45 Withdraw BTC 17RT6Ne994VjC762wh7TpXRdrZRMbhJSUC -20.19 0 0.009 0.059


I truly believe you guys have a security problem on your end Sad

I feel that it is MtGox's responsibility to own up to losses from multiple users.  You can confirm yourself that my original report to you was received before there was any mention of a confirmed vulnerability.
sr. member
Activity: 294
Merit: 250
The fact that it uses MD5 is an issue.

It should definitely have been set up using SHA256/SHA512, and at least a per user salt(You haven't clarified as to whether it's the same for all, unless I've misread something). Or even double SHA512 two-unique-salts halved.

Sad
Where was MD5 mentioned?
sr. member
Activity: 371
Merit: 250
The fact that it uses MD5 is an issue.

It should definitely have been set up using SHA256/SHA512, and at least a per user salt(You haven't clarified as to whether it's the same for all, unless I've misread something). Or even double SHA512 two-unique-salts halved.

Sad
sr. member
Activity: 294
Merit: 250
MagicalTux, a few cases can already be found here: http://forum.bitcoin.org/index.php?topic=18050.0
It also has some information regarding passwords strengths and operating systems that people used etc.

Also, have you received my PM about the CSS history sniffing vulnerability?


Copy in case that disappears:

Quote
Mt. Gox Db Purportedly for Sale...
Posted to the 'Bin:

"I Got mtgox database,1 day old.Got also bitcoins7;it not as big but still lots hehe!no secure LOL.....

would send user&pass in here but,I want to sell to big buyer

Email: [email protected]

Make big offer!!!

~cRazIeStinGeR~"


http://pastebin.com/xhnNdvte

I call that a fake/scam attempt. If it was true, this "hacker" would first have emptied as many accounts as possible before selling it. My account remains untouched and so do accounts of most others, only a small % of the people got "exploited".
If the easiest way of "laundering" stolen money would be the exact site you compromised (Mt. Gox) I can imagine that someone does not want to go through the trouble of laundering everything, and would rather sell off the entire database in one hit and have others deal with that. Not to mention selling the database to multiple people.


Password are encrypted one way (+salt). Someone cannot be selling "user + pass" unless he has some way to revert this.

In one expression: FUD
Hashes (even salted) can be bruteforced. Especially if someone has for example already set up Bitcoin mining rigs, he would have considerable power to use on bruteforcing passwords, not to mention things like Amazon AWS (or other cloud computing services) that can be used to very quickly crack hashes.

newbie
Activity: 45
Merit: 0
That's what salt is for! Roll Eyes

Just read it up on Wikipedia...

Uhm, I think you need to read up on it. Salting helps defend against table lookups but does not strongly protect against brute force.

legendary
Activity: 2618
Merit: 1007
That's what salt is for! Roll Eyes

Just read it up on Wikipedia...
newbie
Activity: 45
Merit: 0

Password are encrypted one way (+salt). Someone cannot be selling "user + pass" unless he has some way to revert this.

In one expression: FUD

Well, to be fair, if you have the hashed values, it takes very little effort to bruteforce a large number of passwords. Especially if you use tables.

Your statement makes me nervous about the state of overall security at mtgox....relying on hashed passwords was a failing paradigm over a decade ago.
vip
Activity: 608
Merit: 501
-
You know about my case very well MARK - I`m still waiting for my stolen 13.4 BTC...

As I already replied you, your funds were stolen by someone logging in onto your account with your password. Your funds are right now on a bitcoin address and have not moved since then.

As a reminder we assume no responsibility should your funds be stolen by someone using your own password.
vip
Activity: 608
Merit: 501
-

Password are encrypted one way (+salt). Someone cannot be selling "user + pass" unless he has some way to revert this.

In one expression: FUD
sr. member
Activity: 371
Merit: 250
Seeing the database doesn't mean having write access.
newbie
Activity: 58
Merit: 0
Ok, due to that, i tried to change my password in MTGox and it doesnt let me... wtf?
full member
Activity: 210
Merit: 100
Copy in case that disappears:

Quote
Mt. Gox Db Purportedly for Sale...
Posted to the 'Bin:

"I Got mtgox database,1 day old.Got also bitcoins7;it not as big but still lots hehe!no secure LOL.....

would send user&pass in here but,I want to sell to big buyer

Email: [email protected]

Make big offer!!!

~cRazIeStinGeR~"


http://pastebin.com/xhnNdvte

I call that a fake/scam attempt. If it was true, this "hacker" would first have emptied as many accounts as possible before selling it. My account remains untouched and so do accounts of most others, only a small % of the people got "exploited".
sr. member
Activity: 371
Merit: 250
Copy in case that disappears:

Quote
Mt. Gox Db Purportedly for Sale...
Posted to the 'Bin:

"I Got mtgox database,1 day old.Got also bitcoins7;it not as big but still lots hehe!no secure LOL.....

would send user&pass in here but,I want to sell to big buyer

Email: [email protected]

Make big offer!!!

~cRazIeStinGeR~"


http://pastebin.com/xhnNdvte
sr. member
Activity: 252
Merit: 250
legendary
Activity: 2026
Merit: 1005
Trust me, if we had a problem in Mt.Gox and it was actively exploited, we'd have way more than a dozen compromised accounts.

are you saying that no changes were made to the site in the past 24 hours to protect against a csrf?

if it wasn't broken, would you have any explanation for this claim that a hole had been fixed? http://forum.bitcoin.org/index.php?topic=18709.msg235994#msg235994

There was indeed a CSRF vulnerability in the "change email" and "send funds" features, however we verified the logs of the webserver and could confirm neither were ever exploited, except by the people who discovered it.

Both are now fixed.
You know about my case very well MARK - I`m still waiting for my stolen 13.4 BTC...
vip
Activity: 608
Merit: 501
-
Trust me, if we had a problem in Mt.Gox and it was actively exploited, we'd have way more than a dozen compromised accounts.

are you saying that no changes were made to the site in the past 24 hours to protect against a csrf?

if it wasn't broken, would you have any explanation for this claim that a hole had been fixed? http://forum.bitcoin.org/index.php?topic=18709.msg235994#msg235994

There was indeed a CSRF vulnerability in the "change email" and "send funds" features, however we verified the logs of the webserver and could confirm neither were ever exploited, except by the people who discovered it.

Both are now fixed.
legendary
Activity: 873
Merit: 1000
Trust me, if we had a problem in Mt.Gox and it was actively exploited, we'd have way more than a dozen compromised accounts.

Now, we cannot recover the funds, however we can try to track those and locate to which account they were sent.

are you saying that no changes were made to the site in the past 24 hours to protect against a csrf?

if it wasn't broken, would you have any explanation for this claim that a hole had been fixed? http://forum.bitcoin.org/index.php?topic=18709.msg235994#msg235994
vip
Activity: 608
Merit: 501
-
Ok, we've been seeing a "lot" of cases recently.

So far I have 10 known cases of people whose coins were stolen (someone logged in on the account using their password, traded USD for BTC, withdrew all the BTC). Considering we have now over 60000 accounts (2 months ago we had 10 times less), this seems to be a problem coming mainly from users.

Problem is many have been posting in various places (forums, reddit, twitter, irc, etc) causing a lot of fear among users when the problem is still fairly limited.

Trust me, if we had a problem in Mt.Gox and it was actively exploited, we'd have way more than a dozen compromised accounts.

By the way we are working on adding an extra feature: a withdraw password. If you define one (on the settings screen) you will have to enter this password too. Should be available by monday.



Now, we cannot recover the funds, however we can try to track those and locate to which account they were sent. I guess that if your account was compromised you first sent an email to [email protected] asking for your account to be blocked until investigation, providing as much information as you can as for the problem.

Please post here your ticket number that was assigned to you when you created this if you want priority handling. Please read the following FAQ before.


FAQ

My history disappears along all my coins and monies

You have not logged in with your usual login. Please make sure you are using the right account.

My coins were traded for USD, or my USD were traded for coins, I never entered any order

You had an open order that couldn't be filled because you didn't have enough funds. When you added funds (or coins) your order could be filled, and was filled.

Jump to: