Bitcoin Forum

I don't really know why I'm posting this, but my Mt. Gox account got hacked today, lost ~8K USD, absolutely devastated, as it was most of my money for college. Be careful. I assume there's no recourse for this?

Fuck my life. Be careful, people.

You're like the third guy here alone to be hacked recently. I think the attacks have begun in force.

You don't just get **Hacked**!

Your sec is only as good as the weakest link, and it's waaaay more likely that someone you know actually just got your pc unlocked.

ALSO!

MtGox is a legal entity, if you did get hacked, you are more then welcome to get the police to request the details to which your money was sent, MtGox at it's discretion may choose to comply.

Nope, I had my computer with me all the while this went down, and no one's used my computer.
I imagine someone bruteforced my password. It was all withdrawn in Bitcoin, so I have no delusions that I'll be able to track down the person that did it. That's kind of the point of bitcoin I suppose.

I don't really know why I posted this thread. It's just shitty. I'm devastated and needed to vent. Sorry for taking up space. Use complex passwords, people. Don't make the mistake I did.

Also, Mt. Gox needs to use a captcha. Really. Other people don't need to go through what I've gone through.

Agreed, so many people underestimate the power of the password.  To make one really secure, use special characters like #, !, &... that
makes it real hard to crack.  Also use upper/lowercase and alpha/numeric.

While I whole heartedly agree that a strong password is a must, but don't stop there.  Ensure you take other security measurements on your system as well: Up to date antivirus, scan pcs for malware/spyware, patch your systems.  And if you have questionable browsing habbits, then make sure you use a different system (if available) for that.

I'm sorry for your loss, hopefully there are some recourse with the vendor.

I know how you must be feeling to have something taken from you.  I once had my poker account broken into and they used up all my funds, while not to your amount, but I still felt violated.

You guys warning him about how to guard his own PC, seem to be assuming that Mt. Gox itself is 100% secure.

There needs to be a full investigation on every employee there to ensure they are not members of the financial terrorist groups that have been assaulting Bitcoins.

Yes, whatever you do don't use the same userid/password that you use for your pools, no matter how strong the password is!

The pools are under constant attack, and if you connect to many pools could you really trust each and everyone of the operators? There are only a few places where you can cash out your Bitcoins and it doesn't take much for someone who obtains your pool login to try to see if it also works on Mt Gox or Trade Hill.

So from you statements, is it safe to assume that your password was not a very good one?

No one entity is ever 100% secure.  But based on the OP's post, he mentioned that to use strong passwords and don't make his mistake, meaning its was probably not a strong password.  So a hacker could have easily brute force or dictionary attacked his password.

Use strong passwords. Change them on a regular basis. Transfer BTC out on a regular basis. Hope that sites start to use reCaptcha.

How is this possible, when the withdrawal limit is $1000?

Estimated worth of BTC in USD?

Fun that people still think CAPTCHA, especially reCaptcha - which is extremely widely used - is any good against bots. I have a small personal website with a simple comment form secured by reCaptcha. One or two spam entries per week. Don't tell me some Chinese guy is being forced to solve them, because posting spam on a website without any traffic doesn't generate profits. That leaves bots solving them. Welcome the 21st century's image recognition.

Yours
David

I remember using bots that would work around CAPTCHA when I was a little kid playing neopets.

It was a reasonably secure alphanumeric pass (or so I thought, at least), but I admittedly used it on more than one website.

Don't be naive about your password security, I guess is the moral of the story.

It's not fun.

thanks for the heads up, something we all need to keep in mind. possible MTGox needs a third security number like internet banking often do. something you choose but its on top of your password and therefore not used widely across the internet already by you.

Whaaaaaaaaaaaaaaaaaaaat?

I mean, how can someone steal $8000 worth of coins in one day? They could withdraw $1000 of them due to Mt Gox withdrawal limit, then you could contact Mt Gox admin to retrieve the remaining $7000 worth in the theif's account.

The limit is for dwolla/lr/euro withdrawals, I guess. You can take out as many bitcoins as you want at any time.

Not true. Bitcoin withdrawals are also subject to the 1000USD daily value limit.

How did this happen then? Mt.Gox --> Mt. Gox transfer in BTC? It was withdrawn to bitcoin addresses.

He did use several bitcoin addresses, does that have something to do with it? According to the timestamps, this all happened in about an hour, total.

My account was hacked last week and lost $43, I have to admit my password is week, but I think mtgox should lock one's account after five fail signing in and force to reset your password from email.

i agree, something more needs to be done considering many people prob now have more money in there than their real life bank accounts but with less security...  ???

I'm curious how they got around the safeguards built into the system. 1K a day isn't all that much.

What did the admin say about this, they should be able to show you an audit trail of where everything went.

Did they withdraw in USD or have the BTC transferred?

Did you use the same password in one of the mining pools?  If so which one? :)

I truly wasn't asking for this---really. Some random benefactor just sent me all that I lost. I don't know who you are, but you've helped me out more than you know. Thank you so much. The Bitcoin community is like no other.

Thank you, so much. I really don't know what to say. I hope to someday know be able to thank you personally. I wasn't asking for this, but I appreciate it so much.

And use complex passwords, everyone, and don't use them on other websites. Really.