Gmail unusual activity

[EricJ2190]

I got it too, and I use a completely different (and stronger) password for Gmail than my password from MtGox. Gmail's logs show no access from unusual IPs, so I assume somebody was just trying to use my MtGox password on Gmail.

[1714984551]

1714984551

[1714984551]

1714984551

[imperi]

I thought someone was just entering random stuff into my Gmail, because both my Mtgox and Gmail are pretty strong. Guess not apparently.

[Dansker]

Yeah, it's a bit misleading to say there had been suspicious activity with the accounts, since they have simply shown up on the list, and no log-in attempts may have been made what so ever.

Although It's much appreciated that google cares for the safety of their users so much. We need it, and you need it too.

[CharlieContent]

Hi guys,

The reason your Google accounts have been required to change the password is that you appeared in a list of public MtGox accounts. We do understand that you may not have been sharing your passwords, unfortunately as they were leaked in hashed form it is hard to know which ones will be found to be sharing passwords and which won't - this will be found out by brute forcers over the next 24-48 hours.

Again, apologies for the inconvenience, we know that choosing new passwords is a pain. Requiring password rotations is not a decision we take lightly. However this is standard procedure for credentials leaks. It is to avoid accounts showing up in the black market for hacked passwords, as Gmail account access can be used to obtain access at other sites (PayPal, Facebook, etc).

thanks,

Mike
Google abuse/anti-hijack team

Thanks Mike! Really appreciate it. Maybe Google could set up a BitCoin exchange?

MagicalTux: You are an idiot son. You've gone from respected by the community to despised just because you're too stupid, or too lazy to secure your website. I sincerely hope Mt. Gox doesn't come back from this. It was so stupid to have so much trade centralised in a website that used to be for trading pieces of card to be used in a children's game.

Go back to trading Magic the Gathering Cards, you fucking amateur.

[Mike Hearn]

Yes, we should have a message for when password leaks occur specifically. I will add this to our todo list.

[grod]

Siiigh.  That gmail address of mine was one I use for 'serious' stuff having to do with money and registration on sites I actually care about (as opposed to all the freebie service ones, where I don't give a rat's behind if someone hijacks).  It was not widely available in the spammer circles.

Now it's out there for spammers and scammers to do their thing to.

Luckily I don't re-use usernames, never mind passwords, so other email and other services shouldn't be horribly impacted.

Thanks mtgox!  Seriously.  And if you couldn't fix your code after all the reports of being compromised there's 0 chance you'll fix it in the future.  Buhbye.

[scooter]

Just verified mine too...

I will never use mtgox again, any website that doesn't protect my email adress can go fuck itself.

You should stop using every website then.
The fact that nearly every website uses an email address username/password combination for authentication and the fact that nearly 3/4ths of all people use the same password for everything means that all it takes is for one website to get hacked and people have a way in to almost every other site you are part of.

No security is 100%, but the number of hacks that have happened in recent months is incredible.
We need to rethink the whole way we do authentication on the internet.

Funny thing is.. I was in the middle of writing an article on this topic when I got the news.

[seeARMS @ Bit-Bank]

Just wanted to say: my account on this site got hacked, my Steam account got hacked (with over $500+ worth of games on it), and who knows what else got hacked.

Suffice to say I'm fucking pissed.

[AllYourBase]

I use gmail for some things, but luckily not for this.  If I did, I'd be super pissed at Google right now.  I use different passwords at different sites, so there'd be zero chance of a hacker getting into my gmail account because of knowing a hash of my mtgox password.  The inconvenience and condescending nature of involuntarily locking my account when I am fully aware it won't be compromised is monumental.  Plus, it's freakin' creepy.  Every day I like gmail less and less.

[bitcoinaddict]

I use gmail for some things, but luckily not for this.  If I did, I'd be super pissed at Google right now.  I use different passwords at different sites, so there'd be zero chance of a hacker getting into my gmail account because of knowing a hash of my mtgox password.  The inconvenience and condescending nature of involuntarily locking my account when I am fully aware it won't be compromised is monumental.  Plus, it's freakin' creepy.  Every day I like gmail less and less.

How is google supposed to know if you use the same password or not?  If they didn't lock it and you got hacked, you'd be complaining that they didn't lock it when they know your email address had been listed with other details that could lead to your account being compromised.

IMO google locking the accounts is a good thing.  You can't have icing on both sides of your cake.

[Clipse]

I use gmail for some things, but luckily not for this.  If I did, I'd be super pissed at Google right now.  I use different passwords at different sites, so there'd be zero chance of a hacker getting into my gmail account because of knowing a hash of my mtgox password.  The inconvenience and condescending nature of involuntarily locking my account when I am fully aware it won't be compromised is monumental.  Plus, it's freakin' creepy.  Every day I like gmail less and less.

HAHA such a load of cocktardism, they effectively did a huge favour/service for everyone but you would find some sort of problem with it and badmouth the shit out of them.

[aral]

I got it too, and I use a completely different (and stronger) password for Gmail than my password from MtGox. Gmail's logs show no access from unusual IPs, so I assume somebody was just trying to use my MtGox password on Gmail.

Or maybe google have just been on the fucking ball on this.  I use a different password on google. I've just been made to change it though. Now I'm gonna have to change the password on a lot of other sites too.  Fucking great work guys.

Get fucked mtgox, this is massively damaging to bitcoin and frankly, inexcusable incompetence.  

[done]

I find it to be quite interesting that government run gmail was so quick to react to this situation

[Basiley]

same shit.
but what interesting, not only mtgox account-related e-mail was compromised, but e-mail, related to THIS forum, was too.
in result of e-mail-related leakage, some people, make some phonecalls[in Russian lang], in terms, related to e-mail[pretend to b careful/cunning ?].for anyone related to law Russian enforcement, can provide phone numbers.

[scooter]

I use gmail for some things, but luckily not for this.  If I did, I'd be super pissed at Google right now.  I use different passwords at different sites, so there'd be zero chance of a hacker getting into my gmail account because of knowing a hash of my mtgox password.  The inconvenience and condescending nature of involuntarily locking my account when I am fully aware it won't be compromised is monumental.  Plus, it's freakin' creepy.  Every day I like gmail less and less.

I feel completely different. Forcing a password change only takes a few seconds. Just because YOU didnt use the same password elsewhere means that you are only one of the 25% who do that.. 75% of people share the same password everywhere.
This means that if google knows there is a big password breech by NOT forcing a password change they are knowingly letting people have their accounts compromised and could probably even get set up for a nasty lawsuit.

[elelegzet]

 No more MtGOX for 3 weeks . Hope that TH will stand this mass migration wave (two hours ago it was hot as hell and as fast as snail because of overload).
 BTW, I didn't receive any messages or notifications from Google as far as my account was compromised as well. Am I doing something wrong  ? So, probably Gmail is smart enough to mention that I've changed my password just after seen strange activities on Mtgox recently (ten minutes before the final crush)...  

[Ramokk]

I appreciate that Google is being proactive on this.

One question, though...I noticed it because my phone couldn't connect to e-mail.  When I logged in from the web site, it told me about the "suspicious activity" and had me change my password.  Had I not noticed and done this, and had someone hacked my password (not possible, since I didn't use the same password for MtGox as I did on Gmail, both were independently generated random strings), wouldn't they have just gotten to pick my "new" Gmail password when they logged in with the old one?

[CorruptDropbear]

I can't log back into my account after changing my password.    Thanks for Google recognizing that my account may be breached (I'm pretty sure it is, I'm having trouble logging into Facebook). Sent a "stolen account" inquiry, hopefully I'll get my account back. Oddly enough, due to cookies I can still sign into YouTube.  


EDIT: And after all this time I work out that the password leaked is the one that I made using KeePass, not my "ehh put in a password" password. Yay! I think.

[AllYourBase]

I use gmail for some things, but luckily not for this.  If I did, I'd be super pissed at Google right now.  I use different passwords at different sites, so there'd be zero chance of a hacker getting into my gmail account because of knowing a hash of my mtgox password.  The inconvenience and condescending nature of involuntarily locking my account when I am fully aware it won't be compromised is monumental.  Plus, it's freakin' creepy.  Every day I like gmail less and less.

I feel completely different. Forcing a password change only takes a few seconds. Just because YOU didnt use the same password elsewhere means that you are only one of the 25% who do that.. 75% of people share the same password everywhere.
This means that if google knows there is a big password breech by NOT forcing a password change they are knowingly letting people have their accounts compromised and could probably even get set up for a nasty lawsuit.

Well you're probably right that 75% or more of people reuse passwords across sites.  However, I resent suffering just because a bunch of people have the same locks on their house, car, and work, and hung their keys up on the outside of their cubicle.  I guess gmail is just for people who need the hand holding since they are too lazy to use basic security.   

[nereer]

I would just like to say thanks to Mike and the google people for doing this. I didn't have the same password for google, so I was fine but I am glad you had the sense to take the necessary steps to mitigate the danger of a wider breach.

edit: oh and super pissed with mtgox right now. what kind of a dog and pony show are they running over there?