If your Mt. Gox account has been compromised, PLEASE READ.

[geebus]

* How much funds did you lose?

~20 BTC

* To what address were your stolen funds sent?

No clue, can't login to check.

* What OS are you using (Windows, Linux, Mac OSX ...)?

Windows 7 x64

* How long was your old password?

8-characters, mixed alphanumeric

* Was your old password random?

It was not a dictionary word.

* Was your username the same on Mt. Gox as on the forum?

No.

* Did you use your Mt. Gox password somewhere else?

The only other place I used it was on Slush's pool, about 4 months ago. Before launching Bitcoinpool.

* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?

Mixed alphanumeric.

* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.

Phoenix Rising. But never entered the password in it.

* Please also include a screenshot if possible so we know it's a real report.

A screenshot of what? ...my password was changed, and email removed from my account. I have no way to log in to retrieve any details of the account.
I can provide transaction details (withdraw amounts, and accounts) to MtGox to verify it is me, but aside from that, I'm just locked out.

[1714141266]

1714141266

[1714141266]

1714141266

[1714141266]

1714141266

[DrMoriarty]

EDIT: If you cannot access your account and your e-mail address on your account has been changed, please post here as well with as much information as you have.

I have another problem.
I have not been able to login into my mtgox account for three days. I use my own trading program. I can make orders and check balance with it. And I know my balance is ok.

But I can not login to withdraw any funds.
When I enter my login and password it only shows me start page with links "sign up" and "login". If I enter a wrong password I'll get an error message. But for right password it just doesn't work.

Does anybody know what happened?

PS: I have written to support twice but they keep silence.

PPS: I have registered a new account but I can't login with it. Does Mt.Gox think that I made ddos? Does it take revenge on me?

[secmff]

Yes, I installed that android app posted earlier. I did get a funny feeling about it and changed my password (in the browser, removed the app again).

Still I was not able to log into my account a few hours later. Got 1550 dollar and 170 bitcoins in that account. I'm working with Mt.Gox support now, to see what is going on exactly.
OS: Linux
Password Length: 8
Random: yes
characters: lower, upper and numbers

[jkminkov]

include browser version you use browser addons if any, is it dedicated for safe sites or it is your primary browser, how you close the site - close tab/window, do you use log-out?

do you have adobe pdf reader

[Vandroiy]

What does MagicalTux say about this? This looks extremely critical! I'm very happy now I did not increase the withdrawal limits.

Password bruteforcing cannot be an issue, since it is trivial to block IPs that have too many failed login attempts -- unless MtGox is allowing an insane amount of attempts from a single source, which would be very similar to openly accepting theft risks.

This should be resolved and the origin of the attack found ASAP. MagicalTux, please comment and analyze the cases at hand; also, explain your security measures against password extraction.

[rasengan]

Was anyone using this app, by any chance? I downloaded it the other day but decided against giving them my password. Noticed today that there is a new version that is now closed source. Coincidence?

Hi BitterTea :-)

I assure you our application is 100% safe and does not make any calls to anything outside of MtGox and BTC.to(when using the bitcoin address shortener).  This can be verified/validated using any tools such as wireshark, ethereal etc. so that you can validate these facts to be true.

If you are still worried or do not know how to sniff your device's outgoing packets (requires Intermediate to Advanced skill level), then an additional option is to use our discontinued, free version of our software on the Android Market called "MtGox Live Bitcoin Trader Free."  This version is older and is not optimized at all.  However, the source code is included with this release in the APK.  Simply view the /assets/Resources folder within the APK to review the code to validate its safety.

I hope this clears any information and misconceptions out there.  If you have any questions, please come find us in #MtGoxLive on IRC.Freenode.Net and we will discuss with you more about the software, how it works, and also provide you helpful hints on how to stay safe online and in the Bitcoin community.

Thanks!

[heli0s]

* How much funds did you lose?
Approx $2000 and 100 BTC
* To what address were your stolen funds sent?
Can't log in to check; email address was changed as well.
* What OS are you using (Windows, Linux, Mac OSX ...)?
Windows 7 x64
* How long was your old password?
I never divulge specifics regarding passwords, but it was at least 8 characters long.
* Was your old password random?
No.  It used multiple dictionary words.
* Was your username the same on Mt. Gox as on the forum?
No, but I've since discovered that someone on Mt. Gox has the same username as I do.
* Did you use your Mt. Gox password somewhere else?
No.  However, I did discover a similar password on a published list (but it wasn't any of my accounts on the list), so my guess is that whoever is doing this is using the published lists and performing some additional checks on variations on them.
* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
Yes; it contained all of them.
* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
Only the Bitcoin client and Phoenix mining software.  Nothing used the same password as what Mt. Gox used.
* Please also include a screenshot if possible so we know it's a real report.
Since I can't access the account, it isn't feasible to include a screenshot.

I've submitted a support ticket but I haven't had any response to it yet.

[coinonymous]

Just a note, looking into this I tried to log in; I was using tor at the time and it said:

Too many failure from your IP, temporarly blocked

Which suggests somebody is staging some sort of semi-brute-force dictionary attack.

This is consistent with the hypothesis that someone is executing an attack plan along the following lines:

• collect passwords -- or maybe just javascript-generated-hashes of passwords -- perhaps by peeking at tor exit node traffic, or perhaps by managing to secure VPSes on the same LAN segment as other popular bitcoin sites
• replay those passwords/hashes (I'm too lazy to figure out exactly how MtGox's login system works) at MtGox
• steal teh maneys

As has been pretty much suggested already in this thread.

 

[coinonymous]

For Christs sake, MagicTux, IMO at least quit camping/having sex/sleeping/flying in aeroplanes/etc for 10 minutes and just freeze all transfers in/out of MtGox until this is sorted out!  At this point any concern about how such a thing might reflect on your business or Bitcoin is surely dwarfed by the bad PR these theft allegations are generating?

One other observation.  There is a striking plurality of newbs purporting to be affected by this... which, to some extent, might suggest that the real nature of this attack might be some kind of weird social engineering trick either to make MtGox look bad or create Bitcoin FUD....

That's just an idea though -- sincere apologies to any innocent victims who I may very well be falsely indicting with that line of reasoning -- still it needs to be considered.  By hiring a handful of guys to repeatedly start new forum accounts and post that they were robbed on MtGox, an anti-Bitcoin-villain could create quite a bit of understandable anxiety about the safety and efficacy of BTC.  Anybody good at fingerprinting forum posters?

[Desu]

Wierd this is all happening right after the freeze this last weekend. The first big hack as well. (Poor Allinvain.)
Just Saying...

[TowlieLives]

You make a good point Coinonymous.  I honestly think Mt.Gox was compromised though, and they may not even know it considering it could have happened amidst the spike in trading and ddos attack.  All of the posts here are people that lost relatively large sums of money and coins, and I have seen posts elsewhere of the same thing happening.  After reading through all of these posts and the ones i've found elsewhere it seems the only thing all of these people have in common is Mt.Gox.  Sony is a multi-billion dollar company that has been doing business for a long long time, and they were absolutely destroyed by hackers.  In comparison, Mt.Gox is a young company that probably doesn't have anywhere near the security team Sony does.  It only makes sense!

[GeniuSxBoY]

Wait wait wait...


are we saying that people's cash-moneys have been stolen and sent to other people's banks from mt gox?

[citryphus]

One other observation.  There is a striking plurality of newbs purporting to be affected by this... which, to some extent, might suggest that the real nature of this attack might be some kind of weird social engineering trick either to make MtGox look bad or create Bitcoin FUD....

I don't know if Mt. Gox has been comprimised or not and I'm not ruling out your idea, but the fact that mostly newbs are posting here could be because (a) this is the only place they can post, and (b) they didn't register here until they had a reason to post, i.e. a problem.

[Run BTC]

Bitcoin are excellent! I love bit coin.

[Run BTC]

Wait wait wait...


are we saying that people's cash-moneys have been stolen and sent to other people's banks from mt gox?

I do'not think this can happen. BitCoin is Secure!

[coinonymous]

Heh.  This thread is rapidly degenerating.  Here's some interesting content for you though (I'm apperently too newbish to post url's so you'll have to type  "http://" yourself):

Code:

www.parttimepoker.com/private-poker-site-info-being-posted-on-anonymous-website

How many of y'all were using your compromised password on Stars/FTP?

I don't have a lot of verification on this story from anyone I particularly trust yet so please take it with a grain of salt for now.

[AntiVigilante]

EDIT: If you cannot access your account and your e-mail address on your account has been changed, please post here as well with as much information as you have.

EDIT2: Added a question about password reuse, please update your posts


While Mt. Gox being compromised is a possibility, there is no proof for it, and it's best NOT to assume that is the case - this may be an attempt at spreading fear and getting people to leave Mt. Gox.
It's best to wait for a response from MagicalTux on this. Personally I normally don't leave any funds in Mt. Gox (or any web wallet / exchange) any longer than necessary, exactly to avoid things like this. The only reason it happened now was because I was unable to access Mt. Gox at all for a long time, and thus didn't have the chance to withdraw my funds.

CSRF has been found. Having said that though bitcoin7 is riddled with them.

I'm still proposing that bitcoins themselves need to have unix like perms on them. Receive, Send, Operate. Wrap them up and they can't be transfered until there is a three way handshake.

[cronopio]

https://i.imgur.com/rLkFH.png

Yeah, I see this today in bitcoincharts.com

[Desu]

Wait wait wait...


are we saying that people's cash-moneys have been stolen and sent to other people's banks from mt gox?

Lawl, I love saying cash-monies.

[goldbit]

I think my account has been compromised.

I can login my account. After I login, I can still see my user name and my balance on the top right corner, but it said "Not logged in".

Can someone confirm me if my account is hacked??

Insert Quote
* How much funds did you lose?
not that much
* To what address were your stolen funds sent?
Can't log in to check; email address was changed as well.
* What OS are you using (Windows, Linux, Mac OSX ...)?
Windows 7 x64
* How long was your old password?
12 word,
* Was your old password random?
No really random
* Was your username the same on Mt. Gox as on the forum?
No
* Did you use your Mt. Gox password somewhere else?
Yes
* Did your old password contain lowercase letters, uppercase letters, special characters and numbers?
No
* Have you used any Bitcoin-related software, and if yes, what software? Think about things like miners, wallet managers, etc.
Bitcoin, CPU-miner, namecoin,
* Please also include a screenshot if possible so we know it's a real report.


Am I screwed???

Update: I try to use forgot password function. I entered email, but it didn't work, so I think they changed my email.
So I submit my username to reset my password (even I know I won't receive the email).
But a few minutes later, I receive an reset password email in my original email account!
WTF is happening with Mt Gox???

Another update:
After I reset my password to 24 character, I am able to login and my fund is still there.
But I am very skeptical about using Mt Gox now.