I sent a reply to my original ticket, requesting them to take responsibility for recent incidents. This was their response:
Hi,
We have evidence the problems found by phantomcircuit have never been exploited by anyone, and we have further evidence someone logged in on your account using your password. We cannot take liability for a case which is clearly not linked to any problems on our side.
Thanks,
Mark
MtGox.com Team
Judge for yourself, i'm done using MtGox...
On logical grounds, this cannot be true because a XSRF vulnerability can only be found and confirmed by exploiting it, and several people already confirmed they have tried the exploit before and after it was fixed. The statement that the vuln was never exploited is therefore false.
In addition, I seriously doubt that a developer that was careless enough to trust a session token without checking the referal url could think of logging it. And if MtGox did not log the referal url of the http requests of each transaction, they cannot possibly claim that they know the flaw was not exploited.
If you have been stolen money from your MtGox account prior to the fix of this exploit, the least you are in right of demanding is the full log showing your transactions as well as the one where your funds were stollen. If the log does not contain any referal urls, or they are not from mtgox domain, or the ips used were only yours, then there really is something fishy.
Surely, the logs can be rewritten to make it seem like the transaction was requested from another IP. Just to make sure it is not the case, some people who have NOT been hacked but have done multiple transactions from the same IP should claim that their account got hacked and ask the logs just to ascertain that there is only their IP there and there is no log rewritting going on.
Another VERY important thing if you got stollen from your MtGox account but they refuse to be liable for it: MAKE A COPY OF YOUR BROWSER CACHE now and have it checked by a web developer you trust. If you were victim of XSRF the code of the forged request is likely still in your browser's cache where it can be found with a simple grep for the mtgox domain name.