WARNING - MTGOX HACKING CONTINUES READ INSIDE NOW

[Serge]

One other thing:

This email with 100% certainty arrived at the NEW email address I entered on the claims page.
So if this is NOT a valid MtGox E-Mail to warn me of a malicious password recovery attempt by a third party, but someone else's mail, then the NEW email / email database must have gotten out somehow, which in turn would have other implications.

The mail I supplied is solely in use for MtGox.

--------

I've registered at MtGox after they restored their service. Have not got any emails or phishing attempts

[1715326863]

1715326863

[1715326863]

1715326863

[Justsomeforumuser]

I suspect the people targeted(if it was more than just me, who knows how much or little they tried) are those that were part of the leaked DBs and lists.

If you're a "newly joined", you should not be in those.

Would love to hear some official word on this, even if - hopefully - this is all just a "storm in a waterglass" as opposed to anything really/truly dangerous.

I mostly want to know my (new) data isn't compromised and that this was indeed their official notification email.

[Serge]

Then it doesn't make sense to me. you said you provided mtgox with the new email after claims site was open to reset password and that you got this email to your newly provided email addie. if that true how newly created accounts defer from your account with newly provided email?  if db was hacked and there are phishing attempts then I'm sure my email would be target as well.   if the email is indeed from mtgox, then someone is targeting your account specifically, i'm not sure if they used your old email address to try to reset the password and mtgox's system somehow associated it with your newly provided email and sent it there.  


please post complete email including headers, you can xxxx your email addie in it

[sebdude420]

if i was you i would change your MT.Gox account Completely.

New email associated with it, new name, and send/receive adressing.

i would not trust using my old accounts. im in the process of remaking all my accounts that were associated with that mtgox hack incident.

[NO_SLAVE]

Again, I love how the common reaction is "Fuck you for trying to prevent theft and warning people".

yeh, no good deed goes unpunished, especially with heathens.

[Klestin]

Someone visited the "Forgot Password" page (https://mtgox.com/users/forgot) at Mt.Gox and entered your email or username?

So?   

[jgraham]

Even if it were real it dosen't count as hacking...  and I can't see you being at much risk considering all you need is a user name or e-mail to initiate a password recovery.  

My point was to warn people to change the password to their email accounts if they haven't done so already.
I'm aware that anyone who had one of the leaked lists could just mass-request password recovery via either username or email account; that's kind of what I am saying in the first place.


--
I like the part where the community's first reaction to someone trying to spare some people a loss of their account is "LULZ"  and "BLahrblerpyeawhatever".

And I thought I was a troll to the BTC userbase.

Uh...step me through this one.   Ok someone knows your username (because it was in the DB that's sitting, among other places on my HD) and they go here: https://mtgox.com/users/forgot and type it in.   Then Mt. Gox sends an email with a confirmation # to your email address.

Now because of this you are saying we should change our passwords on our email accounts?

Why exactly?  If they're using the "forgot" page they don't even know your email address and unless your email address had the same password as your old Mt. Gox account they have little chance of guessing it.

[Justsomeforumuser]

Now because of this you are saying we should change our passwords on our email accounts?

Why exactly?  If they're using the "forgot" page they don't even know your email address and unless your email address had the same password as your old Mt. Gox account they have little chance of guessing it.

There was some vivid discussion over here http://forum.bitcoin.org/index.php?topic=23705.0 where the list of hacked passwords was published whether it was possible they could all have been brute forced.

Whether someone manages to get your email login via brute force, dictionary or social hacking/phishing, they could one way or another gain access to it(unless you are implying email accounts are the most unhackable thing in the world).

Having a strong and new email password is bad and a turrrrribull hassle(this is how it seems to be portrayed at the moment) how?


Anyway, I'm done with this thread.
In the future everyone can go suit themselves and I'll keep any heads-up about security issues to myself.

[jgraham]

There was some vivid discussion over here http://forum.bitcoin.org/index.php?topic=23705.0 where the list of hacked passwords was published whether it was possible they could all have been brute forced.

Yes, I have the password file and I've run it through oclHashcat too.

Whether someone manages to get your email login via brute force, dictionary or social hacking/phishing,

No, I'm saying that "brute forcing" in the thread refers to recalculating the hashed passwords in the password file.  Unless your email password is the same as the one you used on Mt. Gox you are now talking about a completely different kind of attack.  For which the chances of success are equal to whatever measures are in place by your email provider, how easily you fall for a social engineering/phishing attack and the strength of your password.   Unless the password you have on your email right now is weak or the same as your Mt. Gox password.   There is absolutely no advantage in changing it.

Having a strong and new email password is bad and a turrrrribull hassle(this is how it seems to be portrayed at the moment) how?

No, it's just that the only useful advice one can extract from your statements are:

i) Change your password if it was the same as your old Mt. Gox password.  Advice that was given my Mt. Gox ages ago
ii) If your password for your email is weak.  Change it.  Advice that is probably older than you are