Bitcoin Forum

This morning when I tried to login btcguild, it said my password has been changed. Same deal with mtgox. I also cannot login my email which was associated with btcguild and mtgox. I recovered my password and resetted it only to found out that my account in btcguild has been updated with a new wallet id as well as a new email, which is my original email with a 1 appended at the end (eg from xyz@gmail.com to xyz1@gmail.com). Luckily I had payout lock in btcguild which means payout cannot be allowed within 24 hours of a wallet id change.

I then tried recover my password in MtGox by clicking the forgot password option, but the hacker likely changed my email address therefore I cannot receive the mail to reset my password. I've filed a ticket to MtGox support but I don't know how long it will take for them to respond to me. I would very much like them to freeze all my assets on MtGox (worth thousands of USD) until I can regain access to my account.

I'm typing this to let everyone know that I've either been hacked or the security in btcguild and/or MtGox is not secure.

Edit:

I've been contacted by MtGox and they are now on the case.

    Hi,

    We have located your funds. Unfortunately some funds have already been withdrawn ($1000 worth in bitcoins). We are tracking those funds as fast as possible.

    Thanks,
    Mark
    MtGox.com Team

Did you use the same password on multiple sites? What was it?

No, I did not use the same password on both sites, although both sites had the same user name. My first initial thought is that I have been hacked or keylogged, because whoever that did this cannot do this without access to my email username and password (he changed my email password).

Added highlighting... ;)

Unix style permissions: Receive, Send, Operate / View

What do you mean?

I mean I need to talk to developers pronto.

I suspect that this will not be the end of accounts being hacked. Seeing as the hacker targeted specifically for bitcoins (changing btcguild and mtgox passwords), This is done by someone within the community. I only got a new SSD with a fresh install of windows 2 weeks ago, and since then the programs that I've downloaded are the miners, bitcoin client, and the various sites I've visited are all bitcoin-related, such as http://www.bitcoinwatch.com, http://blog.bitcoinwatch.com/ and http://bitcoincharts.com/markets/

I'm using Microsoft Essentials as my anti-virus, and I have not been going to suspicious sites (as far I'm aware). So the hacker could only get through to me through the above means. I urge everyone that visits the same sites or uses the same programs as I do, change their passwords regularly (and avoid using same username and email for sensitive info).

I'm just enabled the two-step verification process for my gmail account to require a verification code sent to my phone before I can log in - I hope doing so will prevent hackers to have access to my email which then they use to change my passwords for various sites. Those of you that have invested significantly in mtgox should do the same.

Thank you, Mark first.

Check your account activity in gmail. At the bottom, it will say "Last account activity: XX minutes ago on this computer.  Details" click on details and it will show you the last IP's to login and when it was. See if you can find out any info from that.

Change wallet addresses too, see 'allinvain's thread, he lost his balance too (you might not have enough credit on it worth bothering now, but maybe later). Assume your machine is trojaned. If you have the funds it would perhaps benefit the community if you could have the machine analyzed for the attack vector.

I just checked and it only showed data up to 4 hours ago, and the IP addresses were all me since after I've recovered the password. The attack occurred about 6 hours ago so I couldn't get info on the attacker's IP.

Oh wow, so I am starting to now think that my stolen funds were facilitated by a bitcoin community program/util.

This is crazy insane, it's starting to look like a information warfare attempt on the bitcoin community - by targeting its users and selling their bitcoins. Free money for the thieves that's for sure!

Sheesh lets not make any crazy assumptions here. All we need is another fucking Gawker story. "Bitcoin websites hacking bitcoin walletz!11!"

If your gmail was compromised from another computer I would expect to give the info, maybe even a warning like this: http://2.bp.blogspot.com/_JE4qNpFW6Yk/S6o0ttPzP-I/AAAAAAAAAiI/Ape8SFfJuHE/warning.png

http://1.bp.blogspot.com/_JE4qNpFW6Yk/S6o1IRjTlYI/AAAAAAAAAiQ/Spzl4OTo0x4/warning2.png


Is it possible your computer was compromised physically? Do you leave your computer on and stay logged in?

I didn't see that warning when I reset my password from gmail.

I believe the attack occurred when I was using the computer, i.e. one minute I was logging in btcguild just fine, the next minute my password was changed. Both my mining computer (the one I believe was compromised) and my laptop were physically by my side.

MtGox is in the process of tracing my bitcoins now, I will continue to update this thread when I receive more info.

I wish you the best of luck spyjai! You and I are in the same boat. I have a strong feeling the same hacker that stole my BTC also hacked you as well.

To me it sounds like someone used a brute force program to break in.  Did you use the same PW on mtgox and the btc guild?  People should go through the code of these utilities to see if anyone snuck anything malicious in just in case.  Maybe some kind of key logger or something.

I used different pw for btcguild and mtgox. I'm now installing KeePass to store my passwords in.

spyjai, can you keep the infected pc offline? I don't want that hacker guy to be able to delete his traces (in the case he not already did).
What miners do you use? Maybe the attacker gained access to their webhosting and replaced some tool(s) by infected editions. We should compare the md5s of the various exes.

This is starting to worry me as well because a few days ago I found out that someone was trying to log in to my email (used on MtGox) but was unsuccessful - the site told me that numerous login attempts failed. The account at MtGox and my email had different passwords so I'm guessing that's what thwarted it.

Is your mtgox username your forum name? I wonder how he gets knowledge about the mtgox usernames and especially about the related email addresses.

@ Original poster
Could you please post in the topic at http://forum.bitcoin.org/index.php?topic=18050.0 as well?