To date, only a few accounts at BTC Guild have had funds taken from them. In all cases it was an MtGox user. So far every case has fallen into one of three scenarios.
1) Email was shared between BTC Guild and MtGox and the email shared the MtGox password, which was used to reset the BTC Guild password.
2) The password was the same with the number '1' either added to or taken off the password.
3) The password was the exact same between the two sites.
I've had a notice placed on the site within minutes of the leaked database, and the payout lock feature would have prevented every single one of them from happening if users turned it on. This is why the Payout Lock bugs you to be enabled until you explicitly decide to hide the warnings.
First, great work over the last 2 weeks
Not quite sure how you stayed sane through it all
Now, several suggestions that everyone will probably hate:
- make the account lockout feature default to ON instead of OFF when you create an account and have a final 24 hour lockout when you turn it off.
- require a second password, different from the account password, to request a payout.
Anyway, keep up the great work