MtGox claim site online

[Kuber]

Hey,

just wanted to say that you can claim your MtGox account back:

https://claim.mtgox.com/

Seems that the MtGox staff will check every single account, oh boy.

[1714167419]

1714167419

[1714167419]

1714167419

[demonofelru]

Mine says "The password for this account is invalid, or this account is not currently under claim process."  I don't know if that means my account password was strong enough, because it definitely is the right password.  Anybody have this happen?

[JBDive]

Not sure what his process is or what he considered strong passwords however I feel my prior password was strong enough for general use such as this while my Truecrypt and PGP passphrases are 27 characters long I don't see the need to input passwords longer than 8-10 characters on Gox if the hash is salted and protected. From a security standpoint when I deal with users if the requirement for long and strong passwords is to great they will just store those passwords in an unsafe manner (post it note on monitor). In this case I had to go with something a bit more complex than I normally use so thank you RoboForm but I suspect many users will end up creating a text file with all their passwords and probably name it "passwords.txt"

Now what gets me is how poorly banks are setup when it comes to password access. My primary bank will only take 8 alpha characters, no numeric or symbols and the last time I checked capitalization did not matter meaning they don't hash anything.

If they are going to verify each account based on proof using past IP address tables or balance inquiries they have a long road ahead.

[typhon]

It rejected what I would consider a very strong password ... I hope they understand that making passwords harder just encourages people to write them down, which is actually less secure in the long run.  You figure since they took so long to fix it; they would at least do it right instead of going nuts. FAIL.

[andyb]

mine also says "The password for this account is invalid, or this account is not currently under claim process."


I've been waiting since last night to log in, slept only 4 hours, WTF?

[ananas5]

Mine also said that until I remembered the right old password.

[Technopope]

Seems that the MtGox staff will check every single account, oh boy.

Yes, it looks like that: "Your account recovery request is pending review by our staff."

With over 61,000 accounts that could take a while.

If they took only one minute to validate each account, that would be over 1000 man-hours, or over 42 days. Hopefully there is a team of workers or an automated system in development.

[drrussellshane]

I claimed my account, but if MTGOX expects me to jump through any hoops, I'd request they close and delete my account (I never had a transaction anyway).

I am weary of them having access to ANY of my information (no offense to them, I just don't really want my day-to-day email spammed or worse).

[kjj]

It rejected what I would consider a very strong password ... I hope they understand that making passwords harder just encourages people to write them down, which is actually less secure in the long run.  You figure since they took so long to fix it; they would at least do it right instead of going nuts. FAIL.

Someone can't look at a written password over the internet.

I actually encourage people to use strong passwords and write them down.  I just make sure that they understand that the proper place to store the paper with the password is with their other small, valuable pieces of paper, in their wallet.

[tomcollins]

It rejected what I would consider a very strong password ... I hope they understand that making passwords harder just encourages people to write them down, which is actually less secure in the long run.  You figure since they took so long to fix it; they would at least do it right instead of going nuts. FAIL.

Someone can't look at a written password over the internet.

I actually encourage people to use strong passwords and write them down.  I just make sure that they understand that the proper place to store the paper with the password is with their other small, valuable pieces of paper, in their wallet.

They can with a keylogger.

[qed]

All the informations needed to claim the account are publicly available. This will be fun.

[ananas5]

All the informations needed to claim the account are publicly available. This will be fun.

What?? 

[duran]

so because all the hashed passwords and emails were leaked. mtgox is going to authenticate accounts through emails...by entering the old password. and a new password...

soooo fucking stupid.

This goes far beyond, one account, a measly $1k, and a user database. this is means anyone who used the same password for their email could have the passwords to other accounts recovered to the email without knowing the original. so get access to the email. find where they have accounts. paypal, bitmarket, banks, this forum, their mining sites, dating sites, dwolla, liberty reserve, everything. they might of sent a an ecrypted zip of their wallet to themselves via their email. they might of had a very important conversation with someone. money pak numbers in emails. endless possibilities. amazon accounts, ebay, godaddy, ect ect ect. this spiderwebs out.

even lulzier is bitcoin is a community of people who mine by decoding hashes. someone with a killer mining set up could rainbow table the shit out of any encryption.  md5 encryptions can be easily cracked by morons via sites like md5decrypter.co.uk and the freebsdmd5 hashes by process's like this http://hansatan.com/?d=jtrguide

So theyre going to dictate the price at 17.50 when the exchange comes back.  who values this shit at $17 right now? someone bought a fuckload for penny each. and were supposed to buy at $17.50. i mean thats all fine and dandy for everyone getting out of bitcoins, but thats no good for the market in general.

mtgox is a buncha fuckups who lost lots of people alot of money, set back a revolution and wont take responsibility for handing out the database to an auditor for reasons unknown. i know what auditors do, no reason for him to have emails and logins. fucking morons down at mtgox have fucked up big time. They really need to pay for all damages and fuck off the internet.

[Jack of Diamonds]

All the informations needed to claim the account are publicly available. This will be fun.

What??  

It's in the accounts list.
If someone was dumb enough to use a simple password on both their Mt. Gox and email account, then all the attacker needs is that info.

Add to that the fact gmail shows the last visible IP's, the attacker can just gain a local proxy in your country after a quick WHOIS search and obtain a higher probability of recovering your account.

[qed]

All the informations needed to claim the account are publicly available. This will be fun.

What??  

The username, email and old hashed password has been posted on the forum and not deleted even if i contacted 3 times the admin.

EDIT: The second step is allowing you to submit a proof of the ownership.

[kjj]

It rejected what I would consider a very strong password ... I hope they understand that making passwords harder just encourages people to write them down, which is actually less secure in the long run.  You figure since they took so long to fix it; they would at least do it right instead of going nuts. FAIL.

Someone can't look at a written password over the internet.

I actually encourage people to use strong passwords and write them down.  I just make sure that they understand that the proper place to store the paper with the password is with their other small, valuable pieces of paper, in their wallet.

They can with a keylogger.

This doesn't change the relative security of written vs. unwritten passwords.

[chungenhung]

what's even worse, i put in a new password, and it says it is not secure enough.
It contains number, lower case letter, upper case letter, symbol, special character.
Are they asking for arabic characters combined with korean and russian characters??

[qed]

what's even worse, i put in a new password, and it says it is not secure enough.
It contains number, lower case letter, upper case letter, symbol, special character.
Are they asking for arabic characters combined with korean and russian characters??

Same issue here.

[chungenhung]

And now it says "The password for this account is invalid, or this account is not currently under claim process."
With no further instruction.
Are they forcing us to file case in small claims courts?
I really smell a huge lawsuit going their way.

Also, I've submitted a few support requests PRIOR to the attack, and NONE ever got a reply back.
So I guess I might be forced to file a suit

[dserrano5]

Yes, it looks like that: "Your account recovery request is pending review by our staff."

Interesting. I didn't get that, or any error—I was redirected to the same step 2/2 again. Actually submitted the form twice just in case...