Unauthorized withdrawal on Mt. Gox

[iBug]

I just found out that there was an unauthorized withdrawal of exactly 60 BTC from my Mt. Gox account. 

I could still access my account and change my password. Weirdly (but luckily), only 60 BTC were transferred - which is about half of my bitcoins.
I know that at current market price, 60 BTC isn't a lot for some of you - but they are of high value for me, a student without regular income.

Now the big question is: Was my password stolen (if so, why weren't over 120 bitcoins stolen, but only 60 ?) or did Mt. Gox make a mistake ? 
(previous password: 15 upper- and lowercase letters, symbols and numbers)

I contacted Mt. Gox, but they're only saying that I should report it to the police and send them a copy of the police report. I think you can all understand, that I'm pissed right now...

Has the same happened to any of you before ? I fear there is absolutely no way that I'll ever get those 60 BTC back... right ?

[1713988680]

1713988680

[1713988680]

1713988680

[1713988680]

1713988680

[painlord2k]

I just found out that there was an unauthorized withdrawal of exactly 60 BTC from my Mt. Gox account. 

I could still access my account and change my password. Weirdly (but luckily), only 60 BTC were transferred - which is about half of my bitcoins.
I know that at current market price, 60 BTC isn't a lot for some of you - but they are of high value for me, a student without regular income.

Now the big question is: Was my password stolen (if so, why weren't over 120 bitcoins stolen, but only 60 ?) or did Mt. Gox make a mistake ? 
(previous password: 15 upper- and lowercase letters, symbols and numbers)

I contacted Mt. Gox, but they're only saying that I should report it to the police and send them a copy of the police report. I think you can all understand, that I'm pissed right now...

Has the same happened to any of you before ? I fear there is absolutely no way that I'll ever get those 60 BTC back... right ?

I would suggest you remember the times when you used the account in some ways.
The account/password couple could be store somewhere and someone could have used it without knowing it.
I had a similar problem with a C/C in the recent past (I had used my C/C card to pay an item he bought). The data was dormant for over an year and then, bang, the person went shopping without realizing he was using my C/C instead of his.

This is the reason I prefer accounts that use a double authorization with a changing code every time like blockchain and bitstamp.

[Zomdifros]

Let me guess, you didn't use two-factor authentication?

This happens A LOT, unfortunately MtGox isn't very active in enforcing 2FA with their users or providing services such as IP warnings or restricting withdrawals to single addresses. My advice would be to use MtGox only for buying and selling bitcoins and store them either offline or in a hybrid wallets such as Blockchain's MyWallet.

[RaTTuS]

who has access to your shared computer ?
yubikey?

[🏰 TradeFortress 🏰]

There's being way too many mt gox account hacks. 2FA should be a requirement honestly, otherwise a lot or people won't enable it till they get hacked.

What address was the withdraw to?

[iBug]

As you all guessed, I'm not using two-factor authentication / yubikey.

But nobody else knows/knew my username/password combination and I'm the only one using my computer, from home.

Geolocation of the IP (that requested the withdrawal), leads to Egypt. I'm in Europe.

Why exactly 60 bitcoins, why not all 129 ?

[🏰 TradeFortress 🏰]

As you all guessed, I'm not using two-factor authentication / yubikey.

But nobody else knows/knew my username/password combination and I'm the only one using my computer, from home.

Geolocation of the IP (that requested the withdrawal), leads to Egypt. I'm in Europe.

Why exactly 60 bitcoins, why not all 129 ?

No, what Bitcoin address was the withdraw to?

[iBug]

What address was the withdraw to?

18o624Pe3C1rPXuDFietaAyiMojguqizez

2013/02/26, 02:39:40
41.215.241.147

[Stephen Gornick]

Let me guess, you didn't use two-factor authentication?

This happens A LOT,

It sure does ...

MtGox account got cleared out
 - http://bitcointalk.org/index.php?topic=85533.0

All BTC disappeared from my Mt. Gox account
 - http://bitcointalk.org/index.php?topic=88368.0

Another:
 - http://bitcointalk.org/index.php?topic=80562.msg941759#msg941759

And another: My mtgox account got compromised, what can I do?
 - http://bitcointalk.org/index.php?topic=84585.0

Yet more: MT.Gox account hacked - lost 2k USD - MT.GOX will not explain how.
 - http://bitcointalk.org/index.php?topic=89142.0

And more again: Bitcoins stolen from MtGox
 - http://www.reddit.com/r/Bitcoin/comments/x8lcv/bitcoins_stolen_from_mtgox

And yet more: Stolen from Mt.Gox coins. Help return the coins.
 - http://bitcointalk.org/index.php?topic=119816.0

Or more here: Email from Mt.Gox this morning.
 - http://www.reddit.com/r/Bitcoin/comments/z0na5/email_from_mtgox_this_morning

And even more here: I just had $715 stolen out of my Mt. Gox account.
 - http://www.reddit.com/r/Bitcoin/comments/12j9gi/i_just_had_715_stolen_out_of_my_mt_gox_account

And the biggie: Bitcoinica MtGox account compromised
 - http://bitcointalk.org/index.php?topic=93074.0

With more here: Unauthorized Account Activity on my Mt.Gox Account - Account Compromised/Hacked?
 - http://bitcointalk.org/index.php?topic=94140.0

And even more: *MY* Mt Gox Account was Hacked - lost it all today... now what!?
 - http://bitcointalk.org/index.php?topic=137795.0

Ditto: My MtGox account was just exploited - 3 BTC stolen
 - http://bitcointalk.org/index.php?topic=141816.0

Ditto on the ditto: Just lost 190 bitcoins through Mt. Gox
 - http://bitcointalk.org/index.php?topic=141831.0

And now this one gets added to the list: Unauthorized withdrawal on Mt. Gox
 - http://bitcointalk.org/index.php?topic=147070.0

And on other services as well. Here same thing happened to some GLBSE users:
 - http://bitcointalk.org/index.php?topic=84893.0

And elsewhere, BitMarket.eu in this instance:
 - http://bitcointalk.org/index.php?topic=5441.msg1259168#msg1259168

And now on bitcoin.de as well: Bitcoins stolen from bitcoin.de.
 - http://bitcointalk.org/index.php?topic=130264.0

In none of these was the person using multi-factor authentication. Mt. Gox has had Yubikey support for a while. Mt. Gox accounts now support Google Authenticator:
 - https://mtgox.com/press_release_20120605.html

If the exchange you are storing funds with doesn't provide OTP, consider using a different exchange:
 - http://bitcoin.stackexchange.com/questions/4113/which-two-factor-authentication-methods-are-available-at-which-exchanges

If you are storing funds in an EWallet, consider using a paper wallet.

Also, here is a fantastic guide: How to use 2-factor auth on mtgox, even without a smartphone (from a second device, of course, not from the same computer you log in on).
 - http://bitcointalk.org/index.php?topic=111943.0

[Stephen Gornick]

As you all guessed, I'm not using two-factor authentication / yubikey.

Did you mean to say you weren't or that you still aren't?

Because unless you can say with certainty that you aren't using a machine that has been compromised, then even after changing your password your remaining coins are no safer now than before.   Get 2FA.  If you don't have a smartphone or other second device that can run it then move the funds to an EWallet that uses SMS-based 2FA.

[ironcross360]

the person who did it was smart, They used a hosting service/vpn http://www.ip-tracker.org/locator/ip-lookup.php?ip=41.215.241.147

[iBug]

As you all guessed, I'm not using two-factor authentication / yubikey.

Did you mean to say you weren't or that you still aren't?

Because unless you can say with certainty that you aren't using a machine that has been compromised, then even after changing your password your remaining coins are no safer now than before.   Get 2FA.  If you don't have a smartphone or other second device that can run it then move the funds to an EWallet that uses SMS-based 2FA.

I wasn't, but I am now.
I guess many of us just have to lose bitcoins or money, until we realize that a 15-20 characters/letters/symbols password isn't enough and that two-factor authentication IS necessary with Mt. Gox. (and any other trading sites) 

But as I've lost confidence in Mt. Gox, maybe I'll even transfer my coins somewhere else, and then later transfer them back to sell them...