MT Gox account compromised.

[danish]

Hey, I have been a long time lurker over here. My Mt.Gox just got compromised and according to my estimate, it has happened in the last 6 hours. My password was quite strong and it wasn't used anywhere else. It had about $19k in USD and I can't access with my old password anymore. As the obvious, I can't even access my email address. Can someone tell me what should I do?

[BitshireHashaway]

Contact Mt. Gox immediately and tell them what happened - they should be able to put a freeze on the account and hopefully no transfers out have happened yet.

Then you will have to prove to them that you are the true account holder...

[MtQuid]

I would use https://mtgox.com/contact-us and also send an email to admin@mtgox.com
Explain your situation and state that you don't want any withdrawals happening.

From mtgox website
"Warning: As a security measure, you will be unable to make any
withdrawals for 24 hours after changing your email address or
password."

So you have 24 hours from the possible break in.

If your email password was compromised then you should think about how that was possible.

Also a good reminder to use two factor login.
You don't need a smart phone for two factor login.
Can use JAuth - available on github.

[not.you]

You should probably assume your computer is compromised too.

[danish]

Hey, thanks a ton for your help. How does one prove to them that I'm the account holder? My account was unverified. I have mentioned to them that all my Bitcoin deposits came from a different wallet to which I can show them screenshots of?

[Hei_]

20k balance but no 2 factor? why?

http://3.bp.blogspot.com/-cN5oLk4WyWc/UMYjBynvG0I/AAAAAAAAPMg/_l5gGgI0iAI/s1600/Why-Meme.png

[Si Robertson]

I would use https://mtgox.com/contact-us and also send an email to admin@mtgox.com
Explain your situation and state that you don't want any withdrawals happening.

From mtgox website
"Warning: As a security measure, you will be unable to make any
withdrawals for 24 hours after changing your email address or
password."

So you have 24 hours from the possible break in.

If your email password was compromised then you should think about how that was possible.

Also a good reminder to use two factor login.
You don't need a smart phone for two factor login.
Can use JAuth - available on github.

Unless they transferred out then change pw/email

[starbuter]

How do you install 2 factor authentication if you have a Windows PC?

[MtQuid]

How do you install 2 factor authentication if you have a Windows PC?

If you know how to use git and have java installed then pull the repo from https://github.com/mclamp/JAuth.git

Otherwise there is a windows installer in the downloads section https://github.com/mclamp/JAuth/downloads
I'm not on windows so don't know how that will work out for you but it should be ok.

There are probably other implementations around but I've used this one on MtGox without problems.

You then create a file with the secret key in and launch the program with the filename as a parameter, or you can even launch with the key as a parameter.

Might be different on windows but I doubt it.

MtGox requires a correct two factor login code using a key before you can enable the two factor login process.  In this way if you have managed to enable  two factor login then you know you are generating the right keys.

Remember to back the secret key up on another machine or device or even a piece of paper, it's not long.

[Murf]

Ive used the google authenticator:
http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447
Super easy and true 2factor (aka you are not running the secondary factor on the same pc as you are typing your password) Which they already have hacked.

[ashin]

20k balance but no 2 factor? why?

http://3.bp.blogspot.com/-cN5oLk4WyWc/UMYjBynvG0I/AAAAAAAAPMg/_l5gGgI0iAI/s1600/Why-Meme.png

My thoughts exactly...

Like locking your front door with selotape

[bitcoinindia]

We badly need a new exchange.

[danish]

Does any know how long does Mt. Gox to answer!?

[Luno]

Quarter to five in the morning there now! Usually they are fast. I bought a Yubikey when they cost 6 Bitcoins. worth it's cost ever since.

Bad luck. Are you a real Dane or just pastry?

[danish]

Just a pastry, heh. Actually my name has origins in Arabic.

I am still curious. How would Mt. Gox confirm that I'm the real owner?

[teriaki]

We badly need a new exchange.

I agree, but not because someone has poor security practices.

[jmw74]

We badly need a new exchange.

How do you figure it's mtgox's fault?

It's highly improbable that the compromise happened at mtgox's end.  Most likely the user's password was phished or otherwise captured.  

Mtgox offers 2 factor authentication, the OP didn't use it.  I suppose mtgox might be better off *forcing* 2 factor auth on everyone, but not everyone has a google-authenticator capable device or a yubikey.

[shkiser]

How likely is this to happen? Ive got a verified account and bitstamp and gox, and have just recently starting using their sites to sell btc.. Im hesitant now after reading this more than once.. This seems quite common. I dont think Id ever keep a large sum in my gox account would mostly be moved into from personal encrypted wallet, and then sold and wired right to bank..

[MtQuid]

Just a pastry, heh. Actually my name has origins in Arabic.

I am still curious. How would Mt. Gox confirm that I'm the real owner?

Collect every bit of information relating to your dealings with the account and use them to prove who you are.
If you made payments into the account and you can send MtGox the verification documents to prove who you are then that would help.  Did you make any deposits or withdrawls? and what methods did you use? and what days?
How old is your account?
How often do you use it?
Where do you access it from?
What browser do you usually use to access it?
Did you use the same PC to access your account all the time?  If so then it is linked by the IP address of your PC.  This can change when you reset your router but it will change to within a range.  Go to the url http://mtgox.com/this_is_danish_and_my_username_is_xxx_help_pox.html  this will appear in their web logs and might match the IP address you last logged in with.  Do it.

The villains will be able to look through your email and trade history so you need to find things that are not listed in those places.
Bank accounts.  Letters to your home.  Photo ID, Locations of access.

Maybe you are the villain and you want to prove you own someone else's account or steal another persons.
I don't know.

[danish]

Hey, I understand it's my fault. My second question is still unanswered. I'd appreciate it if you can answer it.