Someone changed my BTCguild wallet address.

[nemo]

Thank god for their optional 24 hour lock that I set up. My username is on the MTGox password list, but my password wasn't the same. Has anyone else noticed suspicious activity?

[1714934095]

1714934095

[1714934095]

1714934095

[1714934095]

1714934095

[1714934095]

1714934095

[RyNinDaCleM]

I'd recommend you change your PW to something 16+ chars using uppercase, lowercase, numbers, and symbols!

[nemo]

It was a weakass password. I'm going to take my favorite book and flip the page to my lucky number. Then I'll take the first letter of every line and combine them until I have 16. Otherwise I know my lazy ass would keep the password written down or even stored on my computer somewhere. With a 16 letter password, are the numbers and symbols necessary?

[lemonginger]

just use a password generator and safe.

too easy to fallback to using "default" passwords across sites otherwise.

[eleuthria]

To date, only a few accounts at BTC Guild have had funds taken from them.  In all cases it was an MtGox user.  So far every case has fallen into one of three scenarios.

1) Email was shared between BTC Guild and MtGox and the email shared the MtGox password, which was used to reset the BTC Guild password.
2) The password was the same with the number '1' either added to or taken off the password.
3) The password was the exact same between the two sites.


I've had a notice placed on the site within minutes of the leaked database, and the payout lock feature would have prevented every single one of them from happening if users turned it on.  This is why the Payout Lock bugs you to be enabled until you explicitly decide to hide the warnings.

[Shevek]

Take a look at this: http://world.std.com/~reinhold/diceware.html

[Yatta99]

To date, only a few accounts at BTC Guild have had funds taken from them.  In all cases it was an MtGox user.  So far every case has fallen into one of three scenarios.

1) Email was shared between BTC Guild and MtGox and the email shared the MtGox password, which was used to reset the BTC Guild password.
2) The password was the same with the number '1' either added to or taken off the password.
3) The password was the exact same between the two sites.


I've had a notice placed on the site within minutes of the leaked database, and the payout lock feature would have prevented every single one of them from happening if users turned it on.  This is why the Payout Lock bugs you to be enabled until you explicitly decide to hide the warnings.

First, great work over the last 2 weeks  Not quite sure how you stayed sane through it all 

Now, several suggestions that everyone will probably hate:
- make the account lockout feature default to ON instead of OFF when you create an account and have a final 24 hour lockout when you turn it off.
- require a second password, different from the account password, to request a payout.

Anyway, keep up the great work 

[bitcoin0918]

If you tend toward "weakass passwords", you may want to use a pool that doesn't even have accounts, and instead your wallet address is your username. That way there is no way they can screw you over, unless they get the wallet.dat from your computer, or change your mining client.

[PcChip]

Here's an interesting note:  After first installing BitCoin, I've always only used the address that was generated for me by the client, but when I actually paid attention to the addresses, the payout address across slush's pool, deepbit, and BTCGuild are all different for me!  So at first I thought I had been hacked and the payout's changed, but upon further inspection (scrolling down the payment history in the client) they all belonged to me!  How did different addresses get generated for me when I never clicked "Generate New Address" ?

[wolftaur]

Here's an interesting note:  After first installing BitCoin, I've always only used the address that was generated for me by the client, but when I actually paid attention to the addresses, the payout address across slush's pool, deepbit, and BTCGuild are all different for me!  So at first I thought I had been hacked and the payout's changed, but upon further inspection (scrolling down the payment history in the client) they all belonged to me!  How did different addresses get generated for me when I never clicked "Generate New Address" ?

The client automatically makes you a new address, whether you ask it to or not, when you receive coins at the address currently selected and displayed in the client's main window.

It's because you're supposed to use different receiving addresses for everything to be able to keep track of what you got from where.