Bitcoin Forum

it's been more than 48 hours since I submitted my claim to MtGox to have access again to my account

the link they provided me to check the status of the revision still reads "Your account recovery request is pending review by our staff"

have they or have they not started sending emails with further details about how to access our accounts?

I still haven't heard anything, but it will be another 9 hours before 48 hours will have passed since applying :(

same here, and I'm definitely past 48hrs.
Maybe they won't activate accounts until (just before) the new site goes live?

Haven't either.

I was amongst the very first to claim their account and that's over 50 hours ago ... but still no details on how to login or if there's some information missing to claim my account.

I think it's a bad thing to resume trading only one hour after the site re-opens.
There's no way they can handle all those support requests from the users without claimed account when the site re-opens at 3:00 AM GMT.

That's just a preliminary step. The important milestone is when people are successfully completing big withdrawals and receiving their funds from Mt. Gox without problems. If there's any stalling on delivering cash, something is very wrong at Mt. Gox.

like they lost their money, or the intrusion is worse than what they say?

I too are nervously waiting for verification - Questions arise.

Has my account been compromised and someone else has claimed it?
I saw the stolen data and my login, email and password hash were there for the world to see.

They've previously said the final step will come when the servers are live, wouldn't make any sense to tell you "go to www.abc.com and enter your details there" if www.abc.com is offline


Sorry, I was wrong:

    Once you have gone through the first step of reclaiming your account at claim.mtgox.com an email will be sent to the email address registered with your account.
    Within that email a link is provided that you will need to click. This will verify that you are the original owner of the Mt.Gox account that was reclaimed.
    When we have received enough reclaim requests, a follow up email with further instructions on how to access your account will be sent out.

That makes sense.  If they get two reclaim requests from different people for the same account, there's clearly trouble. By waiting, they can check for that.
At least everyone who's been on line through this debacle and got their reclaim request in should be protected.

Dormant accounts, not so much.

Again, it would be a good idea from now on not to keep balances in an "exchange". Sweep the Bitcoins out to your wallet and the cash to your bank account every day.  Dwolla is cheap enough to allow that.

Friday June 24th  01:40 GMT

"Users with reclaimed accounts will be able to login to Mt.Gox on Friday June 24th at 3:00 GMT"

- Less than 1.5 hrs until Mt Gox goes back online. No emails No anoucements.

My account recovery request has been accepted, less than 2 hours before they PLAN to re-open Mt. Gox. (http://forum.bitcoin.org/index.php?topic=21727.0)

Let's hope everything works as expected. But I'm not totally optimistic.

I just got this back from Mt Gox Support

Hello,

Before 3:00 GMT on Friday June 24th you will receive an email from us advising that either


A) Your claim was successful and you can login to Mt.Gox once the site is up.

or,

B) We require more information to process and authorize your claim.


We appreciate your continued patience as we work to get everything back online.

Thanks,

MtGox.com Team

My claim request has been accepted.

It's 4:48 GMT and there's still NO email with the claim resolution from MtGox, are they counting GMT wrong? what's going on?

This is my theory on why it's completely valid for them to be taking so long, please read: http://forum.bitcoin.org/index.php?topic=21676.msg273585#msg273585

Or tl;dr version: The longer it takes before an account is verified, the bigger the chance that the real user will file a claim for an account in the event that a scammer has access to enough info to claim an account. More than one claim will delay things, especially if both have valid info, and then the real person would hopefully get their account.

Super tl;dr: The longer it takes the less likely people are to get scammed and have all their stuff stolen.

I'm confirmed, had a strong password. Which is good, since I already changed it in Lastpass.  :D

My account recovery request has been accepted too. I had a strong password too and I am one of the first 500 customer registered on that famous hacked list. Hope the Mt.Gox team will get all the accounts sorted as soon as possible.

Last night they demonstrated they have at least 424,242 BTC, however there does seem to be evidence the intrusion was worse than they say. Strange, and oh so slowwwwwwwwwww.

I'm curious: how does MtGox know if a user's password was strong enough?

so MtGox employees have access to our passwords??

That was supposed to be automatically verified on part 1 of the claim form 2 days ago, which is why I've been saying everyone with a strong password should have already been verified by now.

What are they really doing?

Sweet, got my account verified about 2 hours ago. So judge where you stand based on when your request was and the rate they are acceptng requests (based on OP and myself).

Got my account verified today after 3 days.

My request failed :(

But I think I put my name not my bank's name, do'h

Reapplying...

Some MtGox employee might have access to your password, it depends on how the site is designed, anyhow there are ways to compute the password complexity even after it has been hashed (depending on hash)

got rejected, provided more proof and waiting for news now ...

edit: finally got accepted, phew ...

For people who are still waiting, make sure you keep an eye on your junk mail folder... my (acceptance) email landed there, even though previous Mt Gox emails made it to my inbox.

Made it, just gotta wait now for it to open.

Had email awaiting from Mt. Gox when I logged on this morning.  Went to the URL; my claim has been accepted.  So yes, they're restoring accounts, albeit fairly slowly.

Some employees will definitely have the capability to access to the encrypted hash.  So if you downloaded the password file (like I did) which was circulating around the net.  You would see things like

<some username> <some email address>  <hashed password>

Something like this:

mobydib mobydib@whale.com $1$0uu.XEh9$MT8XIHVdVGjlXyP/ezHhx1

The last part is the hash entry.  It's made of three parts:  The hash type, the salt and the hashed password itself.  These parts are all separated by the $ sign.

With this information, a nefarious person could attempt a brute force attack on your password to determine what it is.  In other words they can compute the hash for each password.   When they find one that produces a hash that matches the hash in the password file.  Then they know your password**

Ok, so when you talk about password 'strength'.  We are talking about the probability that the password can be discovered***.  This could include things as simple as someone guessing your password or using your GPU to compute password hashes.   So what's the best way to avoid someone guessing your password?  Well, to frame the question a little better it's worth noting that if you give a smart person a large enough amount of time they will guess your password regardless****.   So what you really want is the way to give them the worst chance of guessing your password.   In other words you want a password where the guesser has no better than average probability of guessing it.   In other words you want a random password.  On top of that we want to make sure that we don't give our guesser any "shortcuts".  For example by making our password short they don't have to guess long passwords.   By making the password only contain letters the attacker doesn't have to guess numbers.  The more permutations we force our attacker to try the more 'uncertainty' is in our random password.  In information theory we call this "entropy".

When Mt. Gox or any site asks you to enter a password and gives you some kind of feedback on it's 'strength'.   They are usually applying one of a few different entropy models which take into account things like: length, does it contain letters, numbers and punctuation.   They can even be comparing the relative frequency that various letters occur in other peoples passwords (i.e. more 'e's and less 'z's).   They may also be checking if it contains dictionary words which is a good sign it isn't random.  It also can make hashes vulnerable to a 'rainbow table' attack where an attacker pre-computes all possible hashes (for some subset of passwords - like those that contain dictionary words.   In this particular case that kind of attack doesn't work as the 'salt' part of the password file is a randomly generated string which is added to the password before it is hashed.  So even if every person used the same password the hash would be different.

To give you an idea as to how password strength is derived check out: http://www.passwordmeter.com/


**Technically this isn't 100% true as a hashing algorithm can (and will) create the same hash for different inputs *BUT* a well constructed hashing algorithm shouldn't do this for anything sufficiently shorter than the hash itself.  Like a password.  In any case if two passwords did create the same hash (we call this a "collision") then either password would work.   So it doesn't matter which one they find.

***Generally speaking we mean "discovered by a stranger"

****Assuming it's not sufficiently long that they wouldn't die before guessing. ;-)