Stolen coin report - 5 BTC wiped from blockchain.info MyWallet

[asoltys]

I setup a wallet for a friend of mine at blockchain.info several months back and it's just recently been emptied of 5 BTC: https://blockchain.info/address/1BCBgPjdZsheEq6mtfBTDQx3rX3seY2ioC.  Strangely there was 0.31594303 left in tact which I've just moved to an address under my control.  The unauthorized transaction was https://blockchain.info/tx/d37bfd5a31e3535c0be745d8c94aca7603f8afa9c5264204a0ab142dc56424d9

I checked her "archived addresses" and although there are some in there, the offending address 1JR4byfx89UCn6dyVzfvtoD37iDdneJGS4, is not.

She changed the main password on the account after I set it up for her and said she had a secondary password on the account although now that she's given me the new password I'm logged in and there doesn't seem to be a secondary one set.  Blockchain's logging feature was disabled.  I checked with her and she wasn't using the mobile app, just logging in from her laptop and her work PC.  She said she had been logging in to the account every few days to "check the wallet".  Unfortunately I guess she didn't know that you could check the address balance without logging in.  I feel bad because this started out as an account for me to pay her back $10 for lunch when bitcoins were $5 so we never bothered with cold storage.  She bought 3.35 BTC off me for $150 last month as an investment.  There are also some minor transactions to the address that I sent while doing some testing.

The original password I set on the account was foxconn123 (an inside joke) and she had it changed to foxconn321 when it was hacked -- so not particularly strong.  I presume she had backups emailed to her but am not sure.  Since she didn't use a new address after changing the main password a compromised backup file could have been encrypted with either the original or new password I suppose.  Possibly bruteforced?  Or do you think she might have a keylogger installed on one of her machines?  Any other thoughts or suggestions?  She said she had had trouble logging in to the site the other night and got a spinner icon and a message saying something along the lines of "changing wallet identifier".  I know blockchain.info was having some server issues yesterday but not sure how that could relate to these coins going missing.

Thanks for reading,
Adam

[Twerka]

keylogged using sme public PC? That's my guess.

[demzie]

foxconn123 and foxconn321 as passwords? WTF! And you leave the key in the door when you leave the house?

No serious, use their double auth method at least.
And passwords like these: GbSKj#gFzUv3eJ3Ad!kR6hwYC6Ub$cGCzDW

Hehehe

[greyhawk]

foxconn123 (an inside joke)

Ohey, maybe you can change it to "swordfish". No one will ever guess that.

[zebedee]

Anything in common with this?

https://bitcointalk.org/index.php?topic=173149.msg1869132#msg1869132

[Wardrick]

If she hasn't done a complete virus scan and/or reformatted her computer, I would do that before you create any other passwords or accounts. If you can virus scan the public computer too to see if there's any sign of a virus/keylogger.