|
Title: MtGox account got cleared out Post by: mooony on June 05, 2012, 06:27:47 AM Hello i've been following bitcoin and lurking this forum since the start of the bitcoin bubble.
Yesterday i received an email stating that i had requested a withdrawal when i had in fact not logged in for close to two months. I accessed my account to find that two hours prior, someone had accessed my account, bought all the btc he could with what little cash i had left and withdrew all the btc from my account(roughly about ~30, a small amount but all the btc i have). it seems i'm short on luck as my support request was replied with this email: Quote Hello, We are sorry for your loss. Unfortunately, we can not refund any amount of the stolen funds. While this is extremely disappointing news, it is unavoidable. Issuing a direct refund is not possible as there is no way of proving that your account was in fact compromised, or that it was the Mt.Gox database leak that caused this to happen. As a business if Mt.Gox were to offer you a cash or bitcoin refund in compensation of this extremely unfortunate event, there would be a large increase in the number of hacking attempts to capitalize upon the possibility of financial reward. As a further remedy, we would like to suggest that you file a police report for the stolen goods. It is preferable for the police to inspect your computer, but not necessary. Once this investigation has occurred and a copy of the police report issued, please send a copy of it along with a notarized copy of your passport or Government issued photo ID to Mt.Gox. Please let us know how you wish to proceed, and again we apologize for the frustration and inconvenience caused. Thanks, MtGox.com Team anyone have any idea what i can do now? also it seems someone else got hacked as well: https://bitcointalk.org/index.php?topic=80562.msg941759#msg941759 Title: Re: MtGox account got cleared out Post by: ThomasV on June 05, 2012, 06:38:52 AM anyone have any idea what i can do now? any idea how the attack was possible? did you use a strong password? yubikey? Title: Re: MtGox account got cleared out Post by: matthewh3 on June 05, 2012, 06:43:41 AM I think some passwords were hacked on the GLBSE too. It's always best not to reuse the same password on different sites.
Title: Re: MtGox account got cleared out Post by: julz on June 05, 2012, 06:55:21 AM As a matter of course, MtGox should be providing victims such as yourself with the IP addresses, logs/timestamps etc of recent accesses to your account.
If you are to file a police report, you should have all the relevant information about the unauthorised access to your account. Title: Re: MtGox account got cleared out Post by: caveden on June 05, 2012, 07:33:15 AM As a matter of course, MtGox should be providing victims such as yourself with the IP addresses, logs/timestamps etc of recent accesses to your account. Plus, they should allow users to set limit to themselves. Like a preferences page where I set maximum withdraw amounts per day and per week to myself. If I want to change these preferences by increasing the amounts, the change will only take effect like 48 hours later. And every change in these preferences are notified by e-mail, as every withdraw of any amount. This way losses can be limited in cases such as this. Title: Re: MtGox account got cleared out Post by: mooony on June 05, 2012, 10:02:05 AM anyone have any idea what i can do now? any idea how the attack was possible? did you use a strong password? yubikey? really no idea, i only accessed mtgox onced from a hotel's network once and i have changed my password after that due to to database leak.not the strongest, 10 random alphanumeric. no caps either. nope no yubikey =/ I think some passwords were hacked on the GLBSE too. It's always best not to reuse the same password on different sites. this is the only bitcoin related site that i have used this password on. granted i used the password on 2 other sites but they seem to be unaffected. i may file a police report but honestly i don't really see the point. Title: Re: MtGox account got cleared out Post by: ThomasV on June 05, 2012, 10:09:31 AM this is the only bitcoin related site that i have used this password on. what does "this" refer to? mtgox or glbse? Title: Re: MtGox account got cleared out Post by: Stephen Gornick on June 05, 2012, 10:54:22 AM In another thread where there was a Mt. Gox account that got compromised, TT had just made some suggestions:
Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft. Other withdrawal methods have at least some level of traceability and/or reversibility. Therefore, I propose the following solution: 1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods. 2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API. 3) require two-factor authentication for adding or removing addresses to and from the whitelist. [Update: Mt. Gox just added this.] This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys, the attacker will not be able to withdraw bitcoins to addresses of his choice. Simple fix to a significant security risk. And in yet another thread where there was a GLBSE account that got compromised, TT made his appeal to them as well: Please, exchanges, implement this SOON. You cannot implement it soon enough. Title: Re: MtGox account got cleared out Post by: coin_toss on June 05, 2012, 03:01:34 PM Just goes to show MtGox is still not a safe place to store funds long term, and especially without a yubikey
|