Topic: My MtGox account was just exploited - 3 BTC stolen [old news] (Read 3549 times)

Me too, now.

how often is keylogging done and how can we tell
especially for windows 7

Yes to the "does it work with Google Authenticator" question. That's what I use for 2FA for Gox.

(Sorry to necro the thread, but I just saw this reply)

I don't think it was my employer either, but it's possible.

SSL puts the barrier high for intercepting the conversation in transit, but it's possible it could be MitM'd. Much more likely is that a combination of screen captures and keylogger would give it away. But, like I said - I don't see this as likely in my environment.

I doubt it is "Big Brother" access at your workplace. MtGox uses SSL throughout, it is close to impossible for anyone to see any data sent between you and mtGox.

Update in OP.

I think we'll see if that were the case.

My tablet is a Samsung Galaxy Tab 2, running a Cyanogenmod 10.1 nightly. I have BitcoinSpinner on there that housed my "just in case" coins - in other words, it was equivalent to my checking account, with around 50 coins most of the time.

I've left 3.xxxx coins on the device, at that address, to see if they're taken as well. If they are, then I can safely assume that is the vector.

I also left 3.xxxx coins in a Blockchain.info wallet, which I created on my work PC and stored the login credentials in a word document marked "Bitcoin Info" on my desktop.

If neither of those disappear, I really don't think my devices are the origin.

ETA: If both disappear, I guess I'll start suspecting my wife or my 4-year-old little girl

Not quite.

I registered with MtGox, just prior to the first bubble.
The MtGox hack happened.
I changed my password, to <4-letter word><2-digit year>.
Many months passed
Unauthorized withdrawal occurred
I changed to a real password

Even with the information I've given here, there are still somewhere between 900k and 2m permutations for that password. IP-based locks are one thing - but if an account had attempted to log in tens of thousands of times, you'd think they'd lock the account.

No, the person who did this almost certainly knew my password, either through obtaining a hash and applying a rainbow table to it, through some sort of keylogger, intercepting it on the wire, or through having access to it on another site. I don't *think* the last one is the case.

A MitM seems quite complex for this. I'm thinking the most likely scenario at this point is a either a vulnerability in MtGox's site, or someone at my workplace with access to their corporate "Big Brother" crap.

If no one else is complaining, I'm leaning heavily toward the latter - which is not to discount my own culpability, even a little. At the time I set that password, I was a fairly technical user but somewhat naive security-wise. That's by far the most likely, that they've had my password for months and have waited to use it.

Odd they chose now - I've been playing the market for a few weeks, starting with 1 BTC and working my way up to the 3 that was lost. They must not be checking often.

I hope I get ahold of account login logs That would give me something to chew on.

Unless you used the same password somewhere else it was most likely the Android tablet.
That's why we need this: http://www.indiegogo.com/projects/freedroid

Yep.

I'm digging in their interface now, it looks like they offer software auth. If that will work with Google Authenticator, I'll probably use that.

Another thing they could do (they may, I don't know) is offer an option where withdrawals may only be made to addresses from which deposits have been made.

Could you clarify the order of events:

You registered with mtgox with a weak pw
The "big" mtgox hack happened, user info leaked, some passwords cracked and phished
You changed your pw to a strong one
Your account gets hacked and 3 btc stolen

Right?

Interesting...

I'd put money on the weak password being "guessed", but I am not sure how much MtGox does to stop guessers.  Still, someone with a large botnet could have them all trying various combinations of passwords with various usernames derived from that MtGox hack list until they find one that works.  That'd get around any IP-based bruteforce detection.  English word + two digits is probably fairly high on the list of "to try" combinations for dictionary attacks.

No 2FA. I don't believe the password was re-used, but it's possible. I only got serious about security a year or so ago, after my initial involvement with Bitcoin and the security/cryptography fields that it led me to.

My account ID is my actual first and last name.

I'm confident I wasn't phished.

Not much use to you now, but you might want to use a Yubikey on gox in the future.
They offered me 1 for free, don't know if that offer still stands or if you have to pay for it nowadays.

put 2 factor authentication on withdrawals, then you'll never lose anything in your mtgox account again.

I am assuming no 2FA enabled?

With password compromise usually it is
a) phishing attack
b) password re-use on another compromised site
c) keylogging


I am sure you realize it in hindsight but a 20 char lastpass passwords protecting a 6 char account password doesn't enhance security. Still I doubt you were brute forced as the account probably would be locked. 

No, my password was changed a week or two after the break-in, whenever that was. I'm not a very active user of Bitcoin, and certainly not of MtGox. Apparently, I decided to use a very weak password then, probably for expediency, since I knew of the hack and changed it just in case I forgot later.

Some information to add:

The IP of the attacker was 37.190.151.69, which geolocated to Wroclaw, Poland. The destination address was 17GgxBiXVVTg7RFSGz2kEf3jLBhConxmQJ, where it sits right now with 6 confirmations.

Interested as well...

You're saying that your woefully weak password had been changed for more than a year?  How strong is the new one, and when exactly did you change to the new one?