MtGox possibly stolen account with bitcoins on it

[mahun]

Unable to post in to this topic http://forum.bitcoin.org/index.php?topic=18858.0;all so will post here.

I exchanged some my WMZ to BTC on #bitcoin-otc with decent exchange rate. I tried to cash out it to dwolla, created account on mtgox.com and sent coins to it. I had to go to work so I closed browser and came back to mtgox.com after 3-4 hours and found I am unable to loggin - it says that login/password invalid.

I know about recent CSRF attacks - I was offline, so I could not visit site with exploit. My account was brand new, so no hackers could get to it so quick. I did not use email in mtgox.com but I wrote down login/password so I am sure I am using correct one.

I sent 50.56 to http://blockexplorer.com/address/18Pu9zLDzviyzjMFvH4NMZjpHiq5JrgiYU address. Looks like they are gone, so somehow hacker was able to get into this account and looks like mtgox.com db was really hacked! Probably hacker tries to slowly withdraw all money, but $1000 daily limit do not allow it to do quickly so he targets smaller accounts.

mtgox login: steve3
btc address used to fund mtgox.com account 18Pu9zLDzviyzjMFvH4NMZjpHiq5JrgiYU
amount - 50.56

I wrote several times to mtgox.com support via info@ email and via support widget on their site - nothing =(

So bewared. I think it's time for tradehill.com and better and more secure websites.

[1714140817]

1714140817

[xali]

what do you mean you closed your browser... do you think maybe someone accessed it and found that mt gox was already logged in and stole it?

this seems most likely...

[ymgve]

That money went out of the address doesn't mean anything. Any money sent into mtgox gets pooled together, so if someone took out your 50.56 it would most likely not come out of the same address you used to add it. I suggest you try the support forum on mtgox too.

[mahun]

what do you mean you closed your browser... do you think maybe someone accessed it and found that mt gox was already logged in and stole it?

this seems most likely...

I meant - there was CSRF vulnerability on mtgox.com. In order to exploit it - I had to have active session and visit some site with exploit. But I shutdown laptop and did not visit any websites. So CSRF is not my case. Looks like some one got hands on their DB with all balances and passwords etc.

[OCedHrt]

what do you mean you closed your browser... do you think maybe someone accessed it and found that mt gox was already logged in and stole it?

this seems most likely...

I meant - there was CSRF vulnerability on mtgox.com. In order to exploit it - I had to have active session and visit some site with exploit. But I shutdown laptop and did not visit any websites. So CSRF is not my case. Looks like some one got hands on their DB with all balances and passwords etc.

You also could simply have a key logger on your system.

[mahun]

what do you mean you closed your browser... do you think maybe someone accessed it and found that mt gox was already logged in and stole it?

this seems most likely...

I meant - there was CSRF vulnerability on mtgox.com. In order to exploit it - I had to have active session and visit some site with exploit. But I shutdown laptop and did not visit any websites. So CSRF is not my case. Looks like some one got hands on their DB with all balances and passwords etc.

You also could simply have a key logger on your system.

i am pretty good about security. +nod32 did not find anything. so I highly doubt it was from my side. Just read http://forum.bitcoin.org/index.php?topic=18050 topic. So many accounts had changed password/email. This is definitely something bigger then just random local computers hacked. Plus - mtgox did not answer my ticket after 6 days! I'd say they have huge issue and lost all their coins or are close to it.

[Jazkal]

i am pretty good about security. +nod32 did not find anything. so I highly doubt it was from my side.

Ok, so you are good with security, so what else besides nod32 have you tried running on your system?

[mahun]

i am pretty good about security. +nod32 did not find anything. so I highly doubt it was from my side.

Ok, so you are good with security, so what else besides nod32 have you tried running on your system?

believe me, I am very good regarding security. It just can't be coincedence if so many accounts were hacked into from users machines. Just read all reports around forum. And read this post - https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback?page=2#post_20249476 - they admit they had issue where all information was leaked from their db!

[anatolikostis]

CSRF is a fake...In my opinion...  
I think in that way exchange covers their own impotance to prevent attacks...

I didn`t use any site at 16-40 14/06/2011 during hard DDoS attack, but my 13.4 BTC were successfully stolen...

So Mark says the same things everytime: "transaction was made from your account with the correct login/password, we are not responce for this"
Of course with correct!!!
How It could be with incorrect?

:facepalm:

[mahun]

CSRF is a fake...In my opinion...  
I think in that way exchange covers their own impotance to prevent attacks...

I didn`t use any site at 16-40 14/06/2011 during hard DDoS attack, but my 13.4 BTC was successfully stolen...

So Mark says the same things everytime: "transaction was made from your account with the correct login/password, we are not responce for this"
Of course with correct!!!
How It could be with incorrect?

:facepalm:

At least he says something to you. I still do not know what happened to my account at all. I simply can not login and no body answered during last week on any of my tickets =(

[bitsalame]

You guys are late to the party.
MtGox's whole user database was compromised.

Since the database has been leaked I will prove it to you:
steve3, you are the customer #52107
Your password hash: !$1$7u9tG3ex$KkKOgkgdJTknIARmG3SBS1

The password has been hashed with FreeBSD salted MD5. It is a tough cookie but not unbreakable.
The salting prevents time-memory trade off (Rainbow Tables), so a dedicated cracker should crack every each one of them individually.
As long as your password is complex and long enough, it will resist cracking by bruteforcing.

Interestingly it seems that your account steve3 were locked back then.
Cheers,

[anatolikostis]

You guys are late to the party.
MtGox's whole user database was compromised.

Since the database has been leaked I will prove it to you:
steve3, you are the customer #52107
Your password hash: !$1$7u9tG3ex$KkKOgkgdJTknIARmG3SBS1

The password has been hashed with FreeBSD salted MD5. It is a tough cookie but not unbreakable.
The salting prevents time-memory trade off (Rainbow Tables), so a dedicated cracker should crack every each one of them individually.
As long as your password is complex and long enough, it will resist cracking by bruteforcing.

Interestingly it seems that your account steve3 were locked back then.
Cheers,

I`m not late, my coins were stolen at 16-40 14/06/2011 

[mahun]

You guys are late to the party.
MtGox's whole user database was compromised.

Since the database has been leaked I will prove it to you:
steve3, you are the customer #52107
Your password hash: !$1$7u9tG3ex$KkKOgkgdJTknIARmG3SBS1

The password has been hashed with FreeBSD salted MD5. It is a tough cookie but not unbreakable.
The salting prevents time-memory trade off (Rainbow Tables), so a dedicated cracker should crack every each one of them individually.
As long as your password is complex and long enough, it will resist cracking by bruteforcing.

Interestingly it seems that your account steve3 were locked back then.
Cheers,

So it is locked, not stolen? How I can check if this password hash = to my password? Is there any online resource to get this type of hash from my password? If it is locked - at least money should be there and I have slight chance.. But when I tried claims.mtgox.com they just told that password incorrect, which I am sure I did correct.

[jheregidpa]

You guys are late to the party.
MtGox's whole user database was compromised.

Since the database has been leaked I will prove it to you:
steve3, you are the customer #52107
Your password hash: !$1$7u9tG3ex$KkKOgkgdJTknIARmG3SBS1

The password has been hashed with FreeBSD salted MD5. It is a tough cookie but not unbreakable.
The salting prevents time-memory trade off (Rainbow Tables), so a dedicated cracker should crack every each one of them individually.
As long as your password is complex and long enough, it will resist cracking by bruteforcing.

Interestingly it seems that your account steve3 were locked back then.
Cheers,

So it is locked, not stolen? How I can check if this password hash = to my password? Is there any online resource to get this type of hash from my password? If it is locked - at least money should be there and I have slight chance.. But when I tried claims.mtgox.com they just told that password incorrect, which I am sure I did correct.

The theory is they will release your account once they verify you.  I've sent them the verification info and have received no reply.  I'm starting to think it's a scam.  Lock all the accounts.  Require people to "claim" something they already had.  Either ignore people or deny them as often as possible.  Profit.   I know one person who got his account back right away, but he had no balance in BTC or $$.   I've got a small balance of BTC in mine.  If my theory is correct no balance would get reclaimed because there is no profit.  BTC might be least likely because they aren't money.   Don't have a theory on accounts w/ $$, but that might get them in more trouble legally than BTC.   It'll be interesting to watch.

[hashme]

I still do not know what happened to my account at all. I simply can not login and no body answered during last week on any of my tickets =(

Same situation... I've got No Access & No Feedback...

[moneyforschoolat]

Same problem  can not get in my account this is getting very old. They need a number where we can call and talk to a person.  THIS SUCKS

[mahun]

Same problem  can not get in my account this is getting very old. They need a number where we can call and talk to a person.  THIS SUCKS

Why? They need to steal your money. They do not need phone number for that. They can just lock your account and take your money.