Bitcoin Forum

I just discovered that there is someone who has taken all my bitcoins + sold the last to move money from one account to another.

It all happened Thursday 28.07, I've been on vacation and have only just logged into my account now to see if it had bought for $ 8 which I had set it to

All my money is gone and so is my bitcoins ..

What the hell is happening to the safety of MT Gox ...

I've now lost $ 4000 because of their incompetence.

F. ...! I'm getting tired of it.

Maybe you wife got a hold of your password?

i know if my wife has my password she'd sell sell sell (on a down no less....)

Did you change your password after the last security breach?

No yuribekey for you?  I feel sorry for you but after last Mt Gox hack, you should have known better.  Responsibility comes with greater freedom.

You have not explained how it is their incompetence yet.  I understand your frustration, $4,000 is not a small amount to lose.  However, they are probably not to blame.  Do you reuse your password in multiple places (including any pool you mine at).  Is it a strong password?  Does anyone else know it?  Are you sure you don't have a keylogger or any other form of spyware?  MtGox can only do so much to prevent unauthorized access, the rest is up to you.

Most likely your fault.
Even if someone found out your login from the leak in june and used this knowledge to find out your password from some another service it's your fault you didn't create new account.
MtGox safety is limited to obvious bruteforce attempts, user database protection, their wallet protection and small stuff to keep the data you entrusted them from getting out. They reacted fast during the last crysis and limited the damage.
Everything else is entirely YOUR fault.

Strike that; reverse it.

:) hehe

no I'm the only one who has the code and then MT Gox: (

Yes

it was like this

Xxxxxx-xxxX-xx-Xxxx Numbers and figures

You're right, but I thought they had gained control of security

Shouldn't you be taking this up with MtGox?  What do you expect to forum to do for you?

No
Yes
No
Yes

I have not lost $ 4000 this time.

this time it was only 119 bitcoins + approx. $ 300-400

but for their lack of security, I have since launching the lost $ 4000 because it is the amount I put in and now it's $ 0 0BTC back: (

People, this type of victim blaming is starting to piss even me off. Yes, possibly it is his fault. No, your comments are not helpful at all.

I would go straight to #mtgox on freenode and chat with MagicalTux (admin of MtGox).

The way to be secure:

Use Linux.
Use VPN.
Don't use vocabulary words in passwords.
Don't use password less than 8 characters.
Don't repeat your passwords in several places.
Keep passwords in safe place like keepassx.
Learn to differ phishing emails from original ones.

I've also did, but as you probably know so it can surely go up to 3-4 days before you hear anything from them.

I just wanted to warn others that it can happen to them too ...

I have accounts with 2 other bitcoin exchanges, and I lose not my money. So if not it should be MT Gox's probem who the hell would it be ...

it's like their website and system I use, then you must surely expect that they have mastered their shit.

how was the vacation?

why the hell are you such a fool?

I'm not saying that I have not done anything wrong, but if I have complied with all safety rules MT gox have put up with me for my password, so can not help it fail.

my password is powerband that uppercase and lowercase letters numbers and characters is the most secure code I've ever used and yet it happens that it gets broken.

password is not used any other place no one else knows it.

I went through you post history and I see you have been an asset to the community.
You helped people and projected a confident acknowledgement to and of people here.

there is nothing any of us here can do for you besides speculate and possibly console you.
The only person that might be able to help you is MagicalTux, but they offer no kind of security AFAIK when it comes to someone getting past authentication.

Nice:)

Yes

"I just discovered that there is someone who has taken all my bitcoins + sold the last to move money from one account to another."

This is either fake or the guy is to stupid and deserves to lose his stuff.  Personally I lean fake since if they transferred the money to another account I would simply take it up with MtGox before crybabying on some Forum since there is a paper trail if he's telling the truth.

Fake to sow seeds of discontent among the Bitcoin Community?  Hmm.

We should definitely strive to discover what the cause of this breach was.  Was it a trojan or keylogger on the OP's computer?  Did someone find a new security hole in MtGox?  CSRF attack?  Phishing website?  Etc, etc.

There had to be SOME cause to it, and pointing fingers at either side isn't going to do any good.

i cannot imagine MTGOX allows IPs to attempt to brute force a password over and over again from the
same IP address. Even if the attacker had 10,000 public IPs to use and MTGOX allowed 10 attempts
before locking it out for 24 hours.. it would be almost impossible to brute force a password like the OP
has in any reasonable amount of time.

So that leaves me thinking that the OP has some time of virus/trojan on his PC and the attacker
snarfed the password via that vector.

OP, do you run windows, linux or a mac? I am just curious.

Where did you store your password?

I don't wear breeches!

(You mean breach!)

:(

I love bitcoin and the whole idea of being able to  Hande more freely, but I'm also getting tired of constantly being put back.

I'm not one second of doubt that if MT Gox was not hagget last time, so bitcoins had been worth $ 40-60 today ... this does not help that there is more security about the exchanges we user. and I have made risk spreading by using several exchanges have little bitcoins in each but it does not help a damn thing ... think I'm done with bitcoins ....

send to this address:
Thu 28 Jul 2011 04:56:57 PM GMT   withdraw   Bitcoin withdraw to 1LxTV74oksinziDR3fgvvLUf6jdsnwSUiP   100.00000000 ฿TC

Thu 28 Jul 2011 05:15:42 PM GMT   withdraw   Generate redeem code: MTGOX-USD-4K7SA-UYVH8-UH85P-50E3D   $305.49932

Accound balance$0.00000
Accound balance BTC 0.00000

Mac

I do not understand your question

A sucker is born every minute.  8) I'm sure whoever got them from you is enjoying themselves.  :P

Dang... my spelling is getting worse as I age.

Well running a mac surely throws out 99% of virus and typical internet attacks.
The other .99% can be defeated via updated software on a regular basis leaving only 0day attacks and blatant
mistakes by a user who runs untrusted software and otherwise clicks YES to anything that
pops up on his desktop.

Do you run all sorts of goofy software found on the internet? Especially odd bitcoin related software?

Nice!!!!

rotfl

no all my software is bought and paid for and I update regularly ...

I do not use pogrammer I do not know and have never had an attack of any kind.

You said you had a unique, long and secure password. I generally do not expect people (like myself) being able to remember them.
Did you use a service like LastPass or did you have the password written down in (encrypted) text somewhere (inside or outside the computer)?

outside the computer
in my head:)

MTGOX uses https for auth.. so it is not like a man in the middle attack is trivial.

Also, it seems the user is not a noob running windows XP with sp2 or what not.

If I was MTGOX I would be taking this post oh so seriously as an attacker of the MTGOX
website would surely go about draining accounts in a slow methodical fashion versus going
all out and alerting many people at once.

If they were owned once.. it can happen again. Especially when an attacker knows there is
a currency that can be transferred anonymously.

The OP seems to have his bases covered unless, no offense, you are not telling us exactly
how you use this apple mac computer. Perhaps you like to view odd things online going to
several possibly malicious websites per day?

Whatever happened, before blaming this guy, remember what people were saying when the first reports of cracked mtgox accounts were reported on this forum. Nobody believed them. A couple of days later the mtgox account database was available for download.

It is as I've written, I just ran a check on all my systems and programs ... no errors or viruses.

I have also just moved my bitcoin wallet onto another mac which is not online currently, so I did not lose all my bitcoins lying there ...

I do not know how the person came into my account, but when I was in on it, worked my code / password not and I had to receive an email from MT Gox before I could get in, and when I came in. I could see that all accounts were in both 0 $ and BTC

So I looked at the logs and could see there had been eliminated 100 BTC and that had subsequently been sold 19 BTC and then moved around. $ 320

It sucks to see these kinds of problems still happening.  I never have understood why people around here attack honest users that report problems.  I reported about my BTC being stolen on here and to MtGox in the days before the news of the big hack going public - we got the same ridicule and blame as you seem to be getting.  I too was using a secure password, running Linux and definitely not a noob to basic security.  What makes it worse is that I hounded MtGox for almost a solid month before I even got a response back from them - they didn't care that their security problems caused a lot of us to lose money, end of story.

The biggest thing I learned from my experience it to stay far away from MtGox. (There is a reason you see so many "GOXXED!" banners around here on the forums). While I believe that they are trying to run an honest business, they obviously are rookies when it comes to security, PR and support issues.  I now do my business at TradeHill and I've been pretty happy with them.  I'd suggest that you also look at other exchange options, which ever one you choose.

I don't see how it's not entirely your fault.

Who keeps money on these sites anyway? Paypal is owned by eBay, can be sued, located in the USA, used to transfer millions a day, I wouldn't leave $10 sitting in my paypal account. So now you talk about these fly by night 3 month old Bitcoin exchanges owned by god knows who, running from god knows where, and you'd leave $1000s sitting on there? Why?

I move BTC to the exchange, sell it, move money out. Takes about 30 minutes. I'd never leave .1 BTC or $1 sitting on any of these sites. It's just laziness. Not to mention leaving money on there while you go on vacation. If I left for a week, in my mind it's 50/50 is MtGox is alive/up when I get home. Nothing with them shocks me. I trust them an hour at a time and that's it.

Stop using these two bit hack job sites as banks. They're not banks. Your money isn't safe. There's no recourse if the money disappears. It's not a fucking bank. Stop using it like a fucking bank. If MtGox just decided to zero out your balance for shits and giggles, there's NOTHING you can do. So why exactly did you trust them to secure your money while you were on vacation?

Bitcoin wallets, exchanges, any site related to BTC, is not a real bank, it's not secure, don't expect them to act like a bank. Grow up, make better decisions and stop crying on a public internet forum it's embarrassing.

I agree that it's silly to keep more than one needs on any exchange at this point in time.  That goes double for MtGox by virtue of their reputation.

But I disagree that it is 'entirely' the guy's fault.  If he used good practices as he described then it was almost certainly yet another internal breach or system error.  That is fairly unacceptable.  I must trust my exchange with several k$ at a time if I want to do the type of business I am interested in.

A site which has been breached and/or is careless in one way or another could lose that money in 1 microsecond and that is completely unacceptable.  I choose my exchange(s) as best I could with this in mind, and I would consider myself partially to blame in the event of a loss by virtue of not choosing carefully enough, and partially my fault for being involved in Bitcoin at all, but certain not 'entirely'.

I agree.

It's "entirely" because he was on vacation. Leaving 4k in the hands of MtGox while on vacation is stupid.

If he's a day-trader, it's entirely necessary to keep funds in one's account.  At least $$$ funds.  The bitcoins can be transferred in and out easily enough, but dollars or other currencies often take days.

I don't think it's reasonable to expect an active trader to move funds in and out of their mtgox account every day.  MtGox SHOULD be secure.  If they are not, then we should stop using them.

if you doing all your transfert from your unique ip adress, you can say to mtgox to see log, and the "transfert " of 4000 $ dont come from your ip, your ip can be in some time an proof of identity.
try to see the mtgox react !!! and post them response

nice thread you have here, and you haven't posted one single proof of what you're saying ...

+1

Perhaps I can shed a little light on the subject: https://bitcointalk.org/index.php?topic=10099.msg281979#msg281979

Yeah, that is unfortunate. That's a lot of info to hand the script kiddies.

I had no money mentioned, maybe $ 20, but idiot has sold a lot of my bitcoins and subsequently transferred the money he got for it out of my account ...

I had approx. 120 bitcoins standing, they were purchased for $ 22 piece

The person who took it sold much of one for $ 13-10 a head for getting money out, and the rest of my bitcoins may have sent to an address which is not my.

So try just taking a breather all together .... I know that it is not my fault and could actually just wanted to warn others, causing it was the way it started last time.

and yes it may well be that I have been an idiot and trusted MT Gox, but I've taken mine safety rules has 3 wallet that uses several exchanges, moves continuously mine bitcoins for a wallet is not online ...

But frankly, it ought not be right that you should spend so much time trying to ensure its funds ....... Bitcoins will never be successful as long as people think it is entirely in order that you must do so many things to ensure himself and his money.

and stop now to call anyone who has a minor problem for novice and losers, it is them to focus on if you want Bitcoins to have a chanche in life ... it is not because of you that it exists, but because new user and investors.

 if this one day be worth much money and is used by many or all, you have to find a more secure solution, otherwise it dies before the project even has started.

what proof do you want?

the information should not be able to give anyone access to my MT Gox account ... maybe my wallet, but it is not the one who has been hagget, so it's just a lot of these details.

also requires it's also that there is a virus or something on my computer, but there is no ..

Have you been physically hurt? No? Then it is stolen, not robbed.

Yes you're right that's probably what happened,,, thank you just might make me aware of it .. that I had never even thought of

If your biggest problem is if I use the right words, then can we all the same just be happy and satisfied, this is not funny you idiot ...

J, Aug-05 02:51 (JST):
my account has been hagget, my code did not work more because I wanted to go today, so may have sent an email with a new code .... HEVEDERES what happens to your ridiculous shitty site ...

119 bitcoin stolen and
300 USD.

what the hell is this bullshit.

send to this address:
Thu 28 Jul 2011 04:56:57 PM GMT   withdraw   Bitcoin withdraw to 1LxTV74oksinziDR3fgvvLUf6jdsnwSUiP   100.00000000 ฿TC

Thu 28 Jul 2011 05:15:42 PM GMT   withdraw   Generate redeem code: MTGOX-USD-4K7SA-UYVH8-UH85P-50E3D   $305.49932

Accound balance$0.00000
Accound balance BTC 0.00000

it also seems that there have been several sales and purchases in the last few days where I have not been inside ... it can not be true ... I expect all my money and bitcoins is back on my account.

Otherwise, the refund all my $ 4000 which I have added to your shitty site and lost because of your incompetent security.

_______________________________________________________________________________ __________________________________

Jasmine, Aug-05 10:39 (JST):
Hello,

I apologize about your recent theft. We do not have the ability to "reverse" any transfers. The IP addresses of both transactions are 115.133.198.86 and 64.120.79.136. At this point, I strongly advise you to change your password to a more secure one; using at least one upper case, number, and special character will prevent anyone and any computers from guessing your password. Also, please change the password to any connecting email addresses.

I also strongly encourage you to obtain a Yubikey, which we can offer it to you for free. Unfortunately, that is the only thing we can do for your situation. You may file a police report, which we can try our best to cooperate with the investigation.

I apologize for any inconvenience this has caused.

Thanks,

MtGox.com Team

The IP addresses of both transactions are 115.133.198.86 and 64.120.79.136.
MY IP Adress i 192.168.2.103 :(

I strongly advise you to change your password to a more secure one, using at least one upper case, number, and special character will prevent anyone and any computers from guessing your password.
Me password was (have been changed) J08-uU33-1604-82-xXx

_EDIT_______________________________________________________________

Hello J,

I apologize for the recent loss you experienced. I believe our administrator informed you that a third party was able to access your account through getting access of your email account. It is important to have a strong secure password for email accounts associated with your Mt.Gox account. We try our best to provide you a secure account on Mt.Gox, but we can not be responsible for all security measures outside of your Mt.Gox account, such as your email account in this case. We have been providing security options such as Yubikey for our users, and having one might have protected you from this hack. Again, I apologize for your loss.

Thanks,

MtGox.com Team

_______________________________________________________________________________ _________________________

I can understand that, you want to disclaim responsibility for my loss but my emai address, user name, password, etc. has only been announced today, due to your lack of security. I have just learned that all user account information has been posted online, so it means that all my information has been announced on the web because of your past mistakes.

I have not received an email or a warning from you by whether that information was announced from the time your page was hacked, otherwise I probably changed my password to my mail.

so whether it has happened because there is someone who has had access to my mail and then be able to receive a new password

and thus could empty my MT Gox account, it's still your fault and your responsibility.

in addition, if 2 IP addresses that are not mine or not even in the country I live in allowed accessing my account ... it in I might not coexist on the same day can be accessed from an IP address in Malaysia and the United States and that the user who owns the account lives in Denmark?

it works as completely out of the forest that you not having more control on your security.

But if not you have thought to replace my loss, I will spend my whole network to create negative publicity regarding. your company and website ...
I will use all the social media I know and write articles in forums and blogs on the web ...

it can not be really in time and again, you stupid and then you deny any responsibility

it can be only one responsibility and that is your .. it is you who has since it's you who've made the rules, it is you who have chosen to do bitcoins for your business, then it is also your responsibility to protect people's funds and ensure that it can not be theft. [# ]

I have now seen several places on the forum that people are shocked that it's so easy to access the accounts just to receive a new code ..

YOU have chosen to make the kind of business and be in the industry in is in, so must also act after the ...

So I sincerely hope that you have thought you to cover my losses. as in earning a lot of money that people use you and trusts that your funds are secured.

it is fine enough that it can be wrong, but we must make amends, it's no good just to write 'if you had used it and the program this was not happend ... it has happened and now may have to make amends ..

it's not small change we're talking about ... I have lost almost $ 4000 to join your side ......

if i really believe that you are a legitimate business and want to be the biggest and best in doing so it is time to act like a professional company ...

and frankly, it's small change for you and especially now that the price is so low as it is .. you can buy it back below $ 1000 which I paid $ 2100-2200 for the time ..

That is your IP within your home LAN or WLAN. When you surf the web or chat in IRC or whatever, you will have an IP address assigned to you by your ISP. Check a page like http://msv.dk/ms302.aspx to see your IP.

@topic: new day, new drama ... I love this board

I just tried connecting to both of those IPs.  Got a log in screen asking for a username and password on 115.133.198.86 with the message "the server says TD-8817".  The other IP didn't resolve for me.

Or

http://whatismyipaddress.com/

Yes that is my IP adresse 192.168.2.103

ore 188.178.220.198

Yes in 2009:)

http://en.wikipedia.org/wiki/Private_network

The 188.*.*.* one is what you're looking for ... just saying. And I wouldn't post it here, really not.

Fuck, im don with Bitcoins...

I was just about to have the last things in place to invest in 20 mining rigs with a capacity of 3GHash per machine ... but again I think just that I sell the last bitcoins I have and live my life without bitcoins.

Should be secure? Fairly sure MtGox has proven they are not secure. If you're still choosing to be a day trader on MtGox that's on you. MtGox isn't regulated. They don't have to meet security standards. You can't sue them (realistically anyway). It's not 100% clear who owns the parent company, where it's setup, and it's not backed by anything.

Again, he went on vacation? Even a day trader, I'd cash out. Second, he posted he left Bitcoins on MtGox. Then went on vacation.

Sorry he's retarded.

I'm not a day trader, I have not written some places that I have bitcoins on my account with MT Gox and subsequently taken on holiday ..

it's bullshit to write, you can consolidate surely not a damn thing.

  I got a confirmation that my password was secure enough that I could get my account back, so it can not be my problem that MT Gox not in control of their security

and basically that means this could happen to all of you other osgå. I'm not retaderet or stupid, I have even more companies, mostly online, and know all about safety and how to use the internet, so stop all this bullshit about lack of skill.

But we can talk again when your account has been emptied.

sorry, didn't mean to be rude, just trying to believe you here, you make your proofs thinking at all things that could back up what you say: screen captures of your emptied mt.gox account, at present, and of bitcoin client too, all ip's connected to your mt.gox account (get this one with a scanned police report sent to mt.gox support), bank account screen capt, etc.

if the sum of money you lost matters to you, don't worry too much about your privacy, we have none, and you're talking on a public forum. Show us what you got

The first is somewhere in Malaysia. The second is a dedicated server hosted in Dallas, USA. Both are very unlikely to be legitimate traffic in this context.


Unfortunately this isn't a very strong password.

I disagree - that should have definitely been a sufficient password in that:
A) its 20 characters long
B) it has lower case letters
C) it has upper case letters
D) it has numeric digits
E) it has special characters (the hyphens)
F) It has no real words in there

I would even think that its in the upper 50 percentile of MtGox user's passwords, from a security standpoint. And even if not, it most definitely fit the definition of a secure password as defined from Mt Gox's own recovery process.

Simply put, this password should not have been guessed or brute-forced on a live system over the Internet.

edit: Speculation superseded by MT's post after this.

Agreed. If brute forcing this password was the attack vector then someone has access to the MtGox hashes incl. salt or is able to perform an enormous amounts of live tries towards the API.

(J. has stated the pw only ever existed at MtGox, wasn't reused etc etc)

Hi, I checked the account history quickly, and saw the hack had nothing to do with your account email. The attacker used the reset password function and got the right reset key right after, which he used to change your password. Therefore here are my questions for you:

• Was your email password strong too?
• Are you sure you NEVER logged into your email from any other place than your home, on a safe computer (ie. never used that email from a mobile device, for example)

So basically, the attacker gained control of his email account, reset the MtGox password, then stole the coins.

I see this as a definite possibility, especially if his email password wasn't very strong.  As soon as that MtGox list got out, his email address was out there too.  Someone may have brute-forced (or otherwise extracted) his email address password.

Isn't it true that IMAP email/passwords are sent in plaintext unless a secure connection is specified?  Maybe someone was sniffing his data when he connected to his mailserver, and retrieved his account password that way...

J., do you have a "Reset password" email from MtGox in your inbox or deleted mail folder?  It was probably fully deleted, but you never know... not that it would really solve anything, it would just give confirmation to MagicalTux's investigation.

perhaps it should not be so easy to reset a password on mtgox then?
perhaps it should be more painful for those who forget their passwords and have to wait
for a call from a mtgox employee who will then quiz them about details of their account?

 The yubikey would have saved him from this attack, +1 from the 2 factor auth !

Come on, there's only so much mtgox can do.
If someone breaks into your primary email address they've got you.

Here we have a mtgox user who got owned due to a process on mtgox that made it easy for the attacker
to do so via a password reset while having access to the user's email account.

It strikes me as very beneficial for mtgox to close this hole.

The yubikey was a good suggestion but it is optional. If kept optional many users will fail to get one.
Thus make resetting a password via email harder is an option. Or make yubikey mandatory in 30 days.

Doing any step to close this issue for future OPs would be a move in the right direction and lead the way for exchanges
to follow suit. MTGOX can be the leader...

The "hole" happens to be standard security procedure for every site on the internet... even banks.
If you lose control of it there is nothing a site can reasonably be expected to do.

This recent discussion also assumes that MagicalTux is telling the truth about what is being found on their end (and I'm not saying that he is or isn't, just a simple case-in-point), which there would never be a way for a normal user to verify.  Owners of these services have a trump card in this regard, and unfortunately its impossible to ever call them out on it if they ever were dishonest.

A lot of us that lost BTC in the big MtGox hack reported these losses to MtGox before the hack was known about, and were also told that it was our fault for bad passwords and that the BTC were sent away from our own proper logins.  In the end, it did turn out to be from the hack, and MtGox to this day won't do the right thing and refund their users that lost BTC due to their negligence (despite the fact that they make a very large amount of money from us users).  Bottom line is, I was told one thing, and it ended up being another.  There will never be a way to prove it one way or another. (FYI - I lost 20.19 BTC in the hack and if they check my logs they will clearly see this transfer happened from an IP address that I surely never use - aside from the fact of course that I reported it days before news of the hack went public)

With all of this in mind, just because a site operator gives someone an explanation, it doesn't necessarily mean its always true.

I just checked my bank's website and that is not the case for me.
You need to know the user name as well as your account number which I cannot recall ever seeing it in an email from them.
If you forgot your user name you need a debit card number, debit card pin, and the account number.

My point is that my bank made it harder then just knowing a user name and the email is sent containing enough information
to reset the password via a web page.

The process you mention above is perfectly fine for a forum like this one.

But I am not trying to be argumentative. All I am saying is here is one way for MTGOX to improve their security for a website
that is going to be attacked on a daily basis using every method known to hackers.

HIS email got owned and it's mtgox's fault? wtf is wrong with some of you people? I can't see how this is their fault at all. On a side note I would like the option to maybe pay mtgox a small fee monthly maybe or free whatever so they  can make a pin number notation on my account. when someone requests a withdrawal I receive a phone call asking for that pin then its released. its how the company I work for handles certain transactions and it's wonderful. customers get warm fuzzies using it. yubikey would have worked too.

 if they reset password on his etrade account and the same happened its etrades fault? c'mon

In one breath you criticize my suggestion while asking for a different security feature.

Then you mention etrade which clearly does not have such a simple way to reset a password without knowing:

E*TRADE User ID:
Social Security or Tax ID Number:
Last Name:
Zip or Postal Code:

The fact of the matter is that MTGOX has a reset password feature that is about right for a forum like this and not
a place to store money/BTC.

Is it really that hard to see it has room for improvement or do a lot of people like to argue for the fun of it?

Anyway... enough is enough. I said my piece. I am sure tux read it and will consider what he should do with his website.
I will simply go where I feel comfortable when I wish to sell my BTC.

this is anonymous currency isn't it? now you're saying you basically want mtgox storing ssn's? what I'm asking is how far are they supposed to take it before it's just.... paypal? why wasn't this guy using a yubikey? at what point do you draw the line and say well.... the end user fucked up?

wow after reading it all again you might be right bro. lol. and I might have helped :(

who knows anymore.

Yubikey has been around since about 2008 - I remember when Steve Gibson met Stina Ehrensvrd at the RSA Security Conference, trying to drum up interest in the product. http://www.grc.com/sn/sn-143.txt Since Yubikey is used in many environments besides MtGox, I doubt this entire post exists just to drum up support for it. But then, this is the Internet, so who knows :) (It looks a bit to me like someone used a web language translation tool.)

Certainly, if it's true that MtGox passwords can be reset simply by controlling the email address, then that is probably a cause for concern. Up until fairly recently, pretty much all email clients default to POP or IMAP access using plaintext password transmission. As a result, any other non-isolated members of a wireless network have a strong chance of being able to see that password. (Wired networks are generally less susceptible.) All routers between the end user and their email server can also see that password.

Similarly, almost all email clients store the password within the machine somewhere. On Windows, there are plenty of freeware programs that will read the email password in the blink of an eye (mailpv for example) so it too is another security risk. Even third party programs such as Thunderbird will happily reveal your password.

Basically, for financial sites; a simple password reset facility via email is not sufficient security. It needs to be paired with another out-of-bound medium such as SMS, Yubikey, etc.

Man, you are dumb.

It looks perfectly on par for someone from Denmark (and other European countries where people grow up with subtitled american TV series).

Seriously?  I see plenty of errors in all three of those sentences.  Not one of them is perfect.

I also deal with a BUNCH of international people on a daily basis who have a variety of skill levels when it comes to the English language.  Some write in exactly the same "BS" broken manner as J. does.

Go find another thread to throw wild, baseless accusations around in.

How is my knowledge on northern European English skills being "Gox Apologist"? We can go into more detail if you want to learn more about how hearing perfectly spoken English, but seldom using it in writing, result in people who use american expressions but with grammar and/or spelling mistakes - but I suggest you start another thread for that study.

PS: "hagget" is a Danish version of "hacked", an English word having been Danishified. Even a simple Google search would've told you that.

I'm a skeptic but I know an over-the-top-paranoid person when I see one. Your theory is insane.

The YK is just free compensation. Even if everyone were to buy one after reading it's safer, Gox would gain next to no profit.
The keys actually do cost $30, Mt. Gox is sending them with free shipping & a customized logo, so they are *losing* money initially by sending them out
(though gaining in the long term due to less problems from stolen accounts and disputes)

YubiKey is based on RSA’s SecureID, look what could happen to it if the keys are stored in a central database http://steve.grc.com/2011/03/19/reverse-engineering-rsas-statement/

and please calm down guys  ::)

I would think that my password should be strong enough ..

I have not touched on my MT Gox account elsewhere in the home and from my office, and both lines are secured with codes.

I figure even with that it is my password has been cracked, as it is a very strong code .... but thank you because you have looked at it because I am very frustrated over this, it is much money I've lost ..

r I've lost all me fath too bitcoins, and it's sad after which I was in the process of getting it out in Denmark and Scandinavia.

I could not find such an email, with it's no harder than perosner have deleted them afterwards ... the person may very well delete it entirely using my code.

The vector would be that your email adress, as everyone elses, became known from the MtGox hacking incident. Somehow someone decided it was worth trying to hack your emailaccount - making it possible to do a pw reset on MtGox.

Why someone targetted you in particular, and managed to guess your email password, is another question. The most likely cause would be that you signed up somewhere else Bitcoin related and re-used the same pw as you use with your email provider.

(If your email account has been hacked you of course need to make sure to clean your account from any hidden forwards and then basically consider EVERYTHING you've ever signed up for as "broken" since the attacker could've used it to gain entry to a lot more than just MtGox)

Of course, all the above is based on MagicalTux both being honest about what the logs say and that if the logs say pw reset through email that there's no way to fool the system into doing pw resets some other way.

but the only way they could get this mail code is that it has gone out of MT Gox's system and data ...

no matter how you look at it, then MT Gox has my IP addresses and know I am from Denmark, how can they allow an IP address from Malaisia ​​and U.S. to empty my account ... it is because of poor security ..

You can go back to China with that slander.

Google translate your idiot.

As you can see below I have nothing to do with MT Gox to do.

I am Danish and live in Denmark, English is not my strong point in terms of writing . I use google translate + imtranslation.net if I can just spell the word or phrase I should use.

As you can see longer admitted also says in my profile

DANISH BITCOIN SUPPORT.

I think it's incredibly boring to see that people are so few indkompetente idiots and do not see the forest for the trees ....

it's not me who is the evil here ...
I'm just trying to warn others and even get some help on how I can get on with this here .. it is not you who has lost a lot of money and bitcoins ...

so stop all your crap with conspiracy theories and ghosts ... there's nothing in it

and yes it may well be that I've made a mistake, but why should you not call me incompetent or retarded .. because I think my IQ and ability to increase your skill with meters

My Wallet
Here you can see what has been the movement on my wallet, 3 activities for MT Gox

https://i.imgur.com/YI6oH.jpg

Recover mail
mail that I sent after I tried to get into my account on Thursday 04.08.2011

I could not login with my regular password: (

https://i.imgur.com/KSSVq.jpg

MY MT Gox account
As you can see there on 28.07.2011 was 100 BTC and move up afterwards sold 19 BTC.

then there are so moved about $ 305 and then the account was empty: (

Account History $

https://i.imgur.com/3tarl.jpg

Account History BTC

https://i.imgur.com/CydPm.jpg

which in his view, there is one who has to move 100 BIC and subsequently sold the rest to move a lot of $ out of my account ..

How could it have been a password by email reset hack? You said you logged into your account after coming back form holiday. If this is true then I'm assuming you used the same password as before you went on holiday and the only way that can happen is if the hacker knew your password to set it back... in which case, would they reset your password?

You answered whilst I was writing my last post ;)

when I came back from vacation, I logged into my account which I usually do, but I could not use my password, so I had to receive a recovery mail from MT Gox, I did and wrote my password again and came in as I wont ... but quickly discovered that something was wrong because everything was in both 0 and $ bitcoins ...

so I went into history and saw that it was sold and move a lot of money and bitcoins.

Someone broke into your email account. This has nothing to do with Mt Gox.

seen all that screen capt., sorry if it made you take more trouble than already did with mtgox, this is similar to something that happened to me not long ago

have two questions if you don't mind, What are the exact dates of your vacation ? and In what place or where you spent that vacancy time ? this would be more helpful
if you can back this up with scans of tickets or whatever better for you but not really necessary.

Email.

are you stupid ???

what would it be to give that kind of information ??

I have kept holiday home in Denmark been out sailing where I had no internet. I do not have any tickets or anything that can back it up, can send you a receipt of purchase to gasoline, but what would you or better yet I get out of it ..

thanks for the fast response and for calling me like that  ???

I asked you a question for a reason just try to give a clear answer please. I will ask again more clearly, What are the exact days of your vacation ?

you don't have to shout it like this
he knows it, we know it, let's prove it to know for sure

That is totally weird, I thought I had caught all of this thread as it grew but my recollection of change of MtGox password was that like all financial sites (I thought, anyway) trying to do such a thing through email alone didn't work.

I tried it, after the goxification affair. They rejected my attempt to claim the account via email alone despite my reminders of things like my being on the IRC channels and the -otc web of trust and facebook and gmail and yahoo and sourceforge and gosh knows where else. I had to remind them of all that again, suggesting we meet up in IRC where gribble could be mutually consulted, that my provider doesn't change my IP address far outside of a few class C nets, etc etc etc then my retry worked.

They (financial services in general, not just mtGox) know what kind of info about your account goes out in their emails, so they don't do stupid things like "email us the following data about your personal and family history that all your millions of diehard fans plus anyone who can use google and/or grasp the basics of what the wikipedia page about you is trying to broadcast and we'll restore your account, since obviously you and not even your mother know what your mother's maiden name was" kind of crap. I thought. Am I drifting into alternate universes again or has a new wave of security expertise determined that no gmail, hotmail, yahoo etc sysadmin could possibly know any of the info stashed in your email account?

-MarkM-

The bottom line for me is:

Why  are e-mails still not safer in these days?  Why does no one develope a secure e-mailing system without the need of beeing bound to a company offering keys or such? We are living in the 21th century, e-mail is too out-dated for beeing used that way any longer.

Little bit of money and knowledge and you can set yourself up with an email system so secure, you could lock yourself out of.
Go Exchange!

Mostly all the people in here are full of shit.



The only way to know if he's lying or not is to wait to see if other people's accounts have been hacked. Otherwise, shut up! You didn't learn your lessons the first time MtGox was hacked and MORE THAN 1 person complained about being compromised?!?!

I suggest everyone check their accounts and recheck your accounts often.



Sorry J, for the other user's ignorance.

Known Facts: J. Lost his money and bitcoins by a third party.

Unknown Facts: Everything else.

Tux has stated that an IP address on the net used the "i forgot my password, please send something to assist me via email" function
on the website.

I am pretty sure that could be considered a fact unless you wish to call tux a liar or nothing will ever be considered
a fact to you, even J's claims. After all, that could be fake too. Create a few addresses, get on a proxy or two, and create
this tale with some "facts".

I do not think J will ever get satisfaction. But tux could improve this retrieve password via email function to include
something only the user would know and that bit of info would never be sent via email for an attacker to find in the user's inbox.
Just copy what other websites do that seems reasonable.

Markm seems to be reasonable in his understanding of this situation.

Did that ip use any other account on mt gox?

Copy not what insured, cover losses up to a specified amount, reverse transactions any time in the next 90 or even 180 days sites do; such sites might invest more in making everything right than in preventing it from going wrong even, maybe.

Rather, copy what MI5, MI6, the CIA, the Mossad et al do or something: sites that rely highly upon prevention because, unfortunately, "resurrection" / "raise dead" is not yet as reliable as on some editions of the Enterprise, let alone some editions of some religious texts.

Or at very least, walk through what e-gold, pecunix, (haven't walked through Liberty Reserve, is theirs any good?) etc do and if improving them would lose some customers due to inconveniencing them let them opt out, at their own liability, of such parts as they consider inconvenient and you do not consider essential to not getting a reputation for callously disregarding the safety / security of your customers, lulling them into false senses of security, setting them up for a fall, etc etc etc.

-MarkM-

:)

This is an important question.

We'll start with something more simple, the "security question" on password reset. This should help a lot.

Nobody seems to implement The OpenPGP standard (http://tools.ietf.org/html/rfc4880).

Of course, even if a signed e-mail is needed to reset a password, you still have the compromised computer problem. You can mitigate this my having your "very secure" key on one computer, then signing keys for your less secure computers stating you trust those computers almost as much as the secure one (you would do this for web-mail as well). Every time your keys expire, you have to use them to sign your new keys as well. Presumably, you have to hold onto your expired keys indefinitely so that you can read any encrypted e-mails at a later date.

I don't think computers will be mature until the mid 22nd century anyway.

Edit: The way to avoid being bound to a signing authority is to publish your own keys. Your recipients then have to know enough to confirm the public key fingerprint using out-of-band communication. I tried to do this for a local bank and was told that the actual server would be different in different regions of the country.

what about yubikey?

One thing that helps me is two factor authentication on my gmail account. I have the google authenticator app on my iPhone. I would suggest others look into it as well.

-Brad