Author

Topic: MtGox account got cleared out (Read 2273 times)

member
Activity: 117
Merit: 10
June 05, 2012, 10:01:34 AM
#9
Just goes to show MtGox is still not a safe place to store funds long term, and especially without a yubikey
legendary
Activity: 2506
Merit: 1010
June 05, 2012, 05:54:22 AM
#8
In another thread where there was a Mt. Gox account that got compromised, TT had just made some suggestions:

Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist. [Update: Mt. Gox just added this.]

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.


And in yet another thread where there was a GLBSE account that got compromised, TT made his appeal to them as well:

Please, exchanges, implement this SOON. You cannot implement it soon enough.
legendary
Activity: 1896
Merit: 1353
June 05, 2012, 05:09:31 AM
#7
this is the only bitcoin related site that i have used this password on.

what does "this" refer to? mtgox or glbse?
newbie
Activity: 2
Merit: 0
June 05, 2012, 05:02:05 AM
#6
anyone have any idea what i can do now?

any idea how the attack was possible?
did you use a strong password? yubikey?


really no idea, i only accessed mtgox onced from a hotel's network once and i have changed my password after that due to to database leak.not
 the strongest, 10 random alphanumeric. no caps either. nope no yubikey =/

I think some passwords were hacked on the GLBSE too.  It's always best not to reuse the same password on different sites.

this is the only bitcoin related site that i have used this password on. granted i used the password on 2 other sites but they seem to be unaffected.


i may file a police report but honestly i don't really see the point.

legendary
Activity: 1106
Merit: 1004
June 05, 2012, 02:33:15 AM
#5
As a matter of course, MtGox should be providing victims such as yourself with the IP addresses, logs/timestamps etc of recent accesses to your account.

Plus, they should allow users to set limit to themselves.
Like a preferences page where I set maximum withdraw amounts per day and per week to myself. If I want to change these preferences by increasing the amounts, the change will only take effect like 48 hours later. And every change in these preferences are notified by e-mail, as every withdraw of any amount.

This way losses can be limited in cases such as this.
legendary
Activity: 1092
Merit: 1001
June 05, 2012, 01:55:21 AM
#4
As a matter of course, MtGox should be providing victims such as yourself with the IP addresses, logs/timestamps etc of recent accesses to your account.
If you are to file a police report, you should have all the relevant information about the unauthorised access to your account.


legendary
Activity: 1372
Merit: 1003
June 05, 2012, 01:43:41 AM
#3
I think some passwords were hacked on the GLBSE too.  It's always best not to reuse the same password on different sites.
legendary
Activity: 1896
Merit: 1353
June 05, 2012, 01:38:52 AM
#2
anyone have any idea what i can do now?

any idea how the attack was possible?
did you use a strong password? yubikey?
newbie
Activity: 2
Merit: 0
June 05, 2012, 01:27:47 AM
#1
Hello i've been following bitcoin and lurking this forum since the start of the bitcoin bubble.

Yesterday i received an email stating that i had requested a withdrawal when i had in fact not logged in for close to two months. I accessed my account to find that two hours prior, someone had accessed my account, bought all the btc he could with what little cash i had left and withdrew all the btc from my account(roughly about ~30, a small amount but all the btc i have).

it seems i'm short on luck as my support request was replied with this email:
Quote
Hello,

We are sorry for your loss. Unfortunately, we can not refund any amount of the stolen funds. While this is extremely disappointing news, it is unavoidable. Issuing a direct refund is not possible as there is no way of proving that your account was in fact compromised, or that it was the Mt.Gox database leak that caused this to happen. As a business if Mt.Gox were to offer you a cash or bitcoin refund in compensation of this extremely unfortunate event, there would be a large increase in the number of hacking attempts to capitalize upon the possibility of financial reward.

As a further remedy, we would like to suggest that you file a police report for the stolen goods. It is preferable for the police to inspect your computer, but not necessary. Once this investigation has occurred and a copy of the police report issued, please send a copy of it along with a notarized copy of your passport or Government issued photo ID to Mt.Gox.

Please let us know how you wish to proceed, and again we apologize for the frustration and inconvenience caused.

Thanks,

MtGox.com Team


anyone have any idea what i can do now?



also it seems someone else got hacked as well:
https://bitcointalksearch.org/topic/m.941759
Jump to: