amazingrando (OP)
|
|
December 09, 2011, 05:47:49 PM |
|
A few hours ago, someone was able to get into my Mt. Gox account, change the password and change the wallet address. I have not be able to log in yet, but I assume that the a**hole that accessed my account took out my 225 btc that was in there.
Stupidly I also used the same password for a few of my pool accounts, which the hacker has since hijacked.
Has anyone else had a problem today?
Even if you haven't, be sure you're using a strong password and not using the same password among sites.
|
Bitbond - 105% PPS mining bond - mining payouts without buying hardware
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
sturle
Legendary
Offline
Activity: 1437
Merit: 1002
https://bitmynt.no
|
|
December 09, 2011, 06:04:45 PM |
|
Even if you haven't, be sure you're using a strong password and not using the same password among sites.
A Yubikey may be worth all your bitcoins. Get one and use it. At least for withdrawals.
|
Sjå https://bitmynt.no for veksling av bitcoin mot norske kroner. Trygt, billig, raskt og enkelt sidan 2010. I buy with EUR and other currencies at a fair market price when you want to sell. See http://bitmynt.no/eurprice.plWarning: "Bitcoin" XT, Classic, Unlimited and the likes are scams. Don't use them, and don't listen to their shills.
|
|
|
amazingrando (OP)
|
|
December 09, 2011, 06:08:08 PM |
|
A Yubikey may be worth all your bitcoins. Get one and use it. At least for withdrawals.
I made two critical mistakes: 1) leaving btc in Mt Gox as opposed to my encrypted wallet, 2) being lazy about sharing passwords. You are right, though, I should have had a Yubikey. Mt. Gox really should have some form of two factor authentication beyond the yubikey.
|
Bitbond - 105% PPS mining bond - mining payouts without buying hardware
|
|
|
amazingrando (OP)
|
|
December 09, 2011, 06:09:09 PM |
|
IP address the hacker used:
196.200.102.6
|
Bitbond - 105% PPS mining bond - mining payouts without buying hardware
|
|
|
cablepair
|
|
December 09, 2011, 06:10:50 PM |
|
amazingrando my friend! I am so sorry to hear that!
The person probably GOT your password from one of the pools you use. Most pools use mysql and they are really easy to do an injection attack and gain access - it's either that or a dishonest pool admin.
Either way those are far more likely to be true than MTGox being hacked.
|
|
|
|
amazingrando (OP)
|
|
December 09, 2011, 06:21:00 PM |
|
amazingrando my friend! I am so sorry to hear that!
The person probably GOT your password from one of the pools you use. Most pools use mysql and they are really easy to do an injection attack and gain access - it's either that or a dishonest pool admin.
Either way those are far more likely to be true than MTGox being hacked.
I thought the same thing. The only reason I thought it might be Mt. Gox being hacked (besides other people having the same issue) is that the first change to any of my accounts was at Mt. Gox. Accessing my pool accounts came afterward.
|
Bitbond - 105% PPS mining bond - mining payouts without buying hardware
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
December 09, 2011, 06:28:13 PM |
|
Sucks, that was a lot of money.
|
|
|
|
proudhon
Legendary
Offline
Activity: 2198
Merit: 1311
|
|
December 09, 2011, 06:30:43 PM |
|
amazingrando my friend! I am so sorry to hear that!
The person probably GOT your password from one of the pools you use. Most pools use mysql and they are really easy to do an injection attack and gain access - it's either that or a dishonest pool admin.
Either way those are far more likely to be true than MTGox being hacked.
I thought the same thing. The only reason I thought it might be Mt. Gox being hacked (besides other people having the same issue) is that the first change to any of my accounts was at Mt. Gox. Accessing my pool accounts came afterward. That was probably done intentionally to keep from raising red flags. Had you noticed suspicious activity or discovered your pool account hacked I'm sure (I hope) you would have changed passwords on any related websites. I'm very sorry that happened. You really should get a YubiKey.
|
Bitcoin Fact: the price of bitcoin will not be greater than $70k for more than 25 consecutive days at any point in the rest of recorded human history.
|
|
|
jamesg
VIP
Legendary
Offline
Activity: 1358
Merit: 1000
AKA: gigavps
|
|
December 09, 2011, 06:35:03 PM |
|
amazingrando my friend! I am so sorry to hear that!
The person probably GOT your password from one of the pools you use. Most pools use mysql and they are really easy to do an injection attack and gain access - it's either that or a dishonest pool admin.
Either way those are far more likely to be true than MTGox being hacked.
I thought the same thing. The only reason I thought it might be Mt. Gox being hacked (besides other people having the same issue) is that the first change to any of my accounts was at Mt. Gox. Accessing my pool accounts came afterward. That was probably done intentionally to keep from raising red flags. Had you noticed suspicious activity or discovered your pool account hacked I'm sure (I hope) you would have changed passwords on any related websites. I'm very sorry that happened. You really should get a YubiKey. And never use the same password twice. Last pass is free. -> https://lastpass.com/
|
|
|
|
mixmastermine
Newbie
Offline
Activity: 37
Merit: 0
|
|
December 09, 2011, 06:44:53 PM |
|
Amazingrando,
If you (or anyone else) need a Yubikey, I have a Mt. Gox code for a free Yubikey for sale for 6 BTC.
|
|
|
|
bitfoo
Donator
Sr. Member
Offline
Activity: 289
Merit: 250
|
|
December 09, 2011, 06:48:33 PM |
|
I thought the same thing. The only reason I thought it might be Mt. Gox being hacked (besides other people having the same issue) is that the first change to any of my accounts was at Mt. Gox. Accessing my pool accounts came afterward.
Tough luck, amazingrando! Would you care to reveal the pools you were using, so that other users of those pools can be on high alert, check their payout addresses, change their passwords, etc?
|
|
|
|
proudhon
Legendary
Offline
Activity: 2198
Merit: 1311
|
|
December 09, 2011, 06:49:00 PM |
|
Amazingrando,
If you (or anyone else) need a Yubikey, I have a Mt. Gox code for a free Yubikey for sale for 6 BTC.
Anyone know, can you have more than one YubiKey for the same account?
|
Bitcoin Fact: the price of bitcoin will not be greater than $70k for more than 25 consecutive days at any point in the rest of recorded human history.
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1136
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 09, 2011, 06:50:37 PM |
|
You are right, though, I should have had a Yubikey. Mt. Gox really should have some form of two factor authentication beyond the yubikey.
I will say this though: the yubikey is going to save you from the vast majority of the attacks that are actually happening. The Yubikey most certainly would have prevented this. I hesitated to get a Yubikey, and then one day MtGox offered me a free one (probably since I made a rather large deposit). Now that I have it, in retrospect, if I felt then how I feel about it now, I would have quickly paid for one.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1136
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 09, 2011, 06:55:12 PM |
|
Anyone know, can you have more than one YubiKey for the same account?
Do you carry more than one set of keys? The YubiKey fits nicely on a keychain. As a backup, you could always pop your Yubikey into a text editor and spit out a few one time passwords, print them, and carry them with you. They can only be used sequentially, so the next time you really use your Yubikey, all of the prior ones will become void. It kind of sucks to hand-key 30+ nonsense characters at once, but it's at least an option if you think you might be out in the boonies with nothing but a smartphone next time the price drops or something and you want to do some trading. You could also e-mail yourself a large list of one-time passwords, and use them one by one via the clipboard. Sure, that's somewhat less secure than using the physical key, but at least someone can't withdraw with them (withdrawal requires a one time password from a completely different secret key, which you get by holding the Yubikey button down for longer than 3 seconds)
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1470
Merit: 1029
Show middle finger to system and then destroy it!
|
|
December 09, 2011, 06:57:56 PM |
|
Using the same password in multiple places is Your mistake. Probably Poll got hacked first. Or maybe dishonest pool operator took your bitcoins. Or maybe the password was sniffed from the pool because of lack or improperly implemented SSL. This is possible even if You system is 100% secure and malware free. Most windows computers today run by non-expert users are infected with one or another malware because of user error.
Lastpass is not 100% secure. Where is the guarantee that the lastpass does not keep all the passords provided? Better use KeePass software on Your computer to generate, store and backup the passwords.
Yubikey is overkill. If You computer and MtGox are safe, there is no need for one. If MtGox are hacked and database are accessed, the coins can be stolen anyway. I would love to have the key in my disposal just to play around with it, but I feel safe and know I'm safe without yubikey, because I take all precautions to keep all my coins safe on my computer and know how such things are done.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
notme
Legendary
Offline
Activity: 1904
Merit: 1002
|
|
December 09, 2011, 07:11:06 PM |
|
If all the actors play nice it will be fine < Yubikey
Yubikey would have protected your account.
|
|
|
|
amazingrando (OP)
|
|
December 09, 2011, 07:16:33 PM |
|
Tough luck, amazingrando! Would you care to reveal the pools you were using, so that other users of those pools can be on high alert, check their payout addresses, change their passwords, etc?
I have accounts on almost every pool. The first pool I got a notice of a wallet change was deepbit. Then slush, btcguild, and bitclockers. I am going through accounts right now to see what others were compromised
|
Bitbond - 105% PPS mining bond - mining payouts without buying hardware
|
|
|
amazingrando (OP)
|
|
December 09, 2011, 07:19:50 PM |
|
Using the same password in multiple places is Your mistake. Probably Poll got hacked first. Or maybe dishonest pool operator took your bitcoins. Or maybe the password was sniffed from the pool because of lack or improperly implemented SSL. This is possible even if You system is 100% secure and malware free. Most windows computers today run by non-expert users are infected with one or another malware because of user error.
Lastpass is not 100% secure. Where is the guarantee that the lastpass does not keep all the passords provided? Better use KeePass software on Your computer to generate, store and backup the passwords.
Yubikey is overkill. If You computer and MtGox are safe, there is no need for one. If MtGox are hacked and database are accessed, the coins can be stolen anyway. I would love to have the key in my disposal just to play around with it, but I feel safe and know I'm safe without yubikey, because I take all precautions to keep all my coins safe on my computer and know how such things are done.
I would agree that a Yukibey isn't necessary. It would have protected me in this case, but just not doing stupid things like sharing passwords across accounts would have helped. I don't do a lot of withdrawals, so using the Yubikey wouldn't be that much of an issue. I'll probably pick one up. $18 for a Yubikey could have saved me $700 of losses. Hope the guy who did this encounters some nasty bad karma
|
Bitbond - 105% PPS mining bond - mining payouts without buying hardware
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1470
Merit: 1029
Show middle finger to system and then destroy it!
|
|
December 09, 2011, 07:26:36 PM |
|
It would have protected me in this case, but just not doing stupid things like sharing passwords across accounts would have helped Using unique and unrelated passwords are the golden rule of security. Some learn it in a hard way. a Yubikey could have saved me $700 of losses.
Hope the guy who did this encounters some nasty bad karma There is no such thing as karma. For what I have done, I'm pretty fine. Probably the guy who did this just jizzed his pants and monitor.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1136
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 09, 2011, 07:28:52 PM |
|
I would agree that a Yukibey isn't necessary. It would have protected me in this case, but just not doing stupid things like sharing passwords across accounts would have helped. I don't do a lot of withdrawals, so using the Yubikey wouldn't be that much of an issue. I'll probably pick one up. $18 for a Yubikey could have saved me $700 of losses.
Hope the guy who did this encounters some nasty bad karma
I don't do a lot of withdrawals either - the whole point of the Yubikey is to make sure that no one can withdraw without it, regardless of the frequency. Its usefulness is unrelated to how often you would use it. I believe a Yubikey is necessary for me, as you never know when your machine has been compromised, it's probably not going to warn you, and the only way you'll know is when your funds disappear. You don't even know that that's not what happened to you just now - you may assume that it was a pool operator, but there is no way you can know that for sure. To me, saying a Yubikey isn't necessary would be like saying airbags aren't necessary, just wear your seatbelt, or that fire insurance isn't necessary, just never light fires. It's a secondary protection with a meaningful benefit that hopefully you'll never need. I agree it's not necessary if you don't mind losing what's in your account one day (esp. if you don't really have more than a few BTC), but if it's an amount you care about, and especially if you think you'll be using bitcoins for a long time... it should be a no brainer. Ordering a Yubikey will not lock your account until you receive it and use it for the first time. It comes already active and ready to use, there are no drivers, fully compatible with PC/Mac/Linux, computer thinks it is just a plain keyboard. You just hit Enter at the MtGox Yubikey screen to bypass it if you haven't yet received it, and you stick it in your USB port and press a button and it types a one-time password. Really simple. And also a neat little gadget to carry around if you like to talk to people about Bitcoins.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
nmat
|
|
December 09, 2011, 07:30:59 PM |
|
Mt. Gox really should have some form of two factor authentication beyond the yubikey.
A simple email confirmation would be great.
|
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1470
Merit: 1029
Show middle finger to system and then destroy it!
|
|
December 09, 2011, 07:32:43 PM |
|
Yubikey will guard against primitive to moderate forms of your computer compromise. Advanced forms of malware can change the send to address in the last moment or on-the-fly to hacker's address and the coins will be stolen. Such things exist for wire transfers already.
Yubikey will be next to useless if Mt Gox site is hacked again and all coins in mt gox possession is withdrawn to hacker's address.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1470
Merit: 1029
Show middle finger to system and then destroy it!
|
|
December 09, 2011, 07:34:21 PM |
|
Mt. Gox really should have some form of two factor authentication beyond the yubikey.
A simple email confirmation would be great. When I get possession over someone- the e-mail is 1st on my priority list. And most compromises and password resets start from compromised e-mail account. You might guess how useful and secure the e-mail confirmation might be.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1136
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 09, 2011, 07:37:49 PM |
|
Yubikey will guard against primitive to moderate forms of your computer compromise. Advanced forms of malware can change the send to address in the last moment or on-the-fly to hacker's address and the coins will be stolen. Such things exist for wire transfers already.
Yubikey will be next to useless if Mt Gox site is hacked again and all coins in mt gox possession is withdrawn to hacker's address.
Same way that door locks protect against amateur thieves and burglars, are worthless against professional expert lockpickers. But practically speaking, there are far more amateurs busy trying to steal your stuff than professionals. And professionals are usually smart enough to get real jobs and are often busy being productive, they aren't as pressed to steal from you to survive. You wouldn't ever leave your house unlocked to every teenager in the neighborhood just because "it's not going to stop a determined professional lockpicker, so why bother locking it"?
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
nmat
|
|
December 09, 2011, 07:38:19 PM |
|
When I get possession over someone- the e-mail is 1st on my priority list. And most compromises and password resets start from compromised e-mail account. You might guess how useful and secure the e-mail confirmation might be. Of course. It's far from being the best option, but in some cases it can help. Besides, it's free and does not have shipping costs
|
|
|
|
Andrew Bitcoiner
|
|
December 09, 2011, 07:52:55 PM |
|
Keep in mind a yubikey helps with the more likely case of someone hacking into your account, it does not help if MtGox itself gets helped.
|
|
|
|
amazingrando (OP)
|
|
December 09, 2011, 08:22:17 PM |
|
After going through all of my accounts, it appears that my accounts on the following sites were compromised: - Mt. Gox
- Slush
- Ozcoin
- Mt. Red
- Bitclockers
- Deepbit
- Bitcoins.lc
If a pool was the source of leaked password, then I would expect it to be from one of the above. I would recommend checking your accounts and changing passwords for any of these pools.
|
Bitbond - 105% PPS mining bond - mining payouts without buying hardware
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1470
Merit: 1029
Show middle finger to system and then destroy it!
|
|
December 09, 2011, 10:01:57 PM |
|
Same way that door locks protect against amateur thieves and burglars, are worthless against professional expert lockpickers. I use locks on my house only as tamper-evident devices. They might delay teenagers, but for professional thieves and other adversaries, there is booby traps in my house. If they become tamper-evident, the evidence will be the tamperer blown all over the walls. Illegal, but effective as hell. The Yubikey will not make you less safer, that's the probably more important. If there is no additional closed-source software with it (as far as I know they are recognized as standard HID keyboard). It's far from being the best option, but in some cases it can help It's hard for me to imagine how I can get acess to your mt gox password, and not your e-mail password with your naked girfriend in it. The worst effect that ineffective security measures gives to you are the false sense of security.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
the joint
Legendary
Offline
Activity: 1834
Merit: 1020
|
|
December 09, 2011, 11:15:51 PM |
|
Here is something that I find people have a problem with: They go through all the trouble of coming up with super-secure passwords for their pools, exchanges, wallets, etc. But, what they forgot is that their email password is extremely shitty.
|
|
|
|
robocop
|
|
December 10, 2011, 04:00:09 PM |
|
One simple (maybe dummy) question. Why you can change wallet-address and password so easy in mtGox?
Is it not secured with a email-confirmation?
|
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1470
Merit: 1029
Show middle finger to system and then destroy it!
|
|
December 10, 2011, 04:03:45 PM |
|
One simple (maybe dummy) question. Why you can change wallet-address and password so easy in mtGox?
Is it not secured with a email-confirmation?
If I have Your mtGox password, it's almost certain that I have owned your e-mail account also. This security measure gives more hassle and very little security.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
msin
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 17, 2011, 11:58:13 PM |
|
A few hours ago, someone was able to get into my Mt. Gox account, change the password and change the wallet address. I have not be able to log in yet, but I assume that the a**hole that accessed my account took out my 225 btc that was in there.
Stupidly I also used the same password for a few of my pool accounts, which the hacker has since hijacked.
Has anyone else had a problem today?
Even if you haven't, be sure you're using a strong password and not using the same password among sites.
\ Hey friend, exact same thing happened to me! I lost about 270 BTC. Account email and password were changed. MtGox has done nothing about it, closed my support ticket with no resolution. I was not victim of phishing, this was a straight up hack. Probably more to come, I would recommend that people get out of MtGox asap.
|
|
|
|
amazingrando (OP)
|
|
December 19, 2011, 01:35:59 AM |
|
Hey friend, exact same thing happened to me! I lost about 270 BTC. Account email and password were changed. MtGox has done nothing about it, closed my support ticket with no resolution. I was not victim of phishing, this was a straight up hack. Probably more to come, I would recommend that people get out of MtGox asap.
That really sucks man. It's a lot of money lost. Just like you, Mt.Gox did nothing when I opened a ticket. I've gone back to TradeHill. Mt. Gox seems to be such a huge target and they don't seem to take security that seriously. It's probably better for the community if we use other exchanges more heavily. We don't need a monopoly in trading. Particularly one that is lax in security. That could threaten the stability of bitcoin.
|
Bitbond - 105% PPS mining bond - mining payouts without buying hardware
|
|
|
Mt.Gox Support
VIP
Sr. Member
Offline
Activity: 308
Merit: 250
|
|
December 19, 2011, 03:07:37 AM |
|
A few hours ago, someone was able to get into my Mt. Gox account, change the password and change the wallet address. I have not be able to log in yet, but I assume that the a**hole that accessed my account took out my 225 btc that was in there.
Stupidly I also used the same password for a few of my pool accounts, which the hacker has since hijacked.
Has anyone else had a problem today?
Even if you haven't, be sure you're using a strong password and not using the same password among sites.
\ Hey friend, exact same thing happened to me! I lost about 270 BTC. Account email and password were changed. MtGox has done nothing about it, closed my support ticket with no resolution. I was not victim of phishing, this was a straight up hack. Probably more to come, I would recommend that people get out of MtGox asap. Hi MSIN We are sincerely very sorry to hear that you have been a victim of this kind of fraudulent activity. From the information we have it looks as though your private data was stolen and used to gain access to your account to change your password. You can contact us for more info. Despite your belief, Mt.Gox has not been hacked in any way and trading on Mt.Gox is still safe/secure. The way in which your account was taken over proves this point (again, you can contact us for more details). That all being said, regrettably, it is to late for us to do anything with respect to recovering your funds. Besides general security tips (strong passwords, not clicking links in emails, not opening unfamiliar attachments) to try and avoid this from happening again, our only suggestion is to buy a Yubikey. If you are not familiar a Yubikey operates as a 2-factor, one time password and thus, will make your account impervious to these types of attacks as the attacker would require both your password and the physical key to gain entry. Us asking you to buy a Yubikey may seem like salt in the wound after you've been victimized like this, however it is our sincere suggestion that you get one if you continue on as our customer or even if you decide to join a different exchange. We also hope that this experience will not turn you away from using bitcoin in the future.
|
|
|
|
msin
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 19, 2011, 04:21:01 PM |
|
A few hours ago, someone was able to get into my Mt. Gox account, change the password and change the wallet address. I have not be able to log in yet, but I assume that the a**hole that accessed my account took out my 225 btc that was in there.
Stupidly I also used the same password for a few of my pool accounts, which the hacker has since hijacked.
Has anyone else had a problem today?
Even if you haven't, be sure you're using a strong password and not using the same password among sites.
\ Hey friend, exact same thing happened to me! I lost about 270 BTC. Account email and password were changed. MtGox has done nothing about it, closed my support ticket with no resolution. I was not victim of phishing, this was a straight up hack. Probably more to come, I would recommend that people get out of MtGox asap. Hi MSIN We are sincerely very sorry to hear that you have been a victim of this kind of fraudulent activity. From the information we have it looks as though your private data was stolen and used to gain access to your account to change your password. You can contact us for more info. Despite your belief, Mt.Gox has not been hacked in any way and trading on Mt.Gox is still safe/secure. The way in which your account was taken over proves this point (again, you can contact us for more details). That all being said, regrettably, it is to late for us to do anything with respect to recovering your funds. Besides general security tips (strong passwords, not clicking links in emails, not opening unfamiliar attachments) to try and avoid this from happening again, our only suggestion is to buy a Yubikey. If you are not familiar a Yubikey operates as a 2-factor, one time password and thus, will make your account impervious to these types of attacks as the attacker would require both your password and the physical key to gain entry. Us asking you to buy a Yubikey may seem like salt in the wound after you've been victimized like this, however it is our sincere suggestion that you get one if you continue on as our customer or even if you decide to join a different exchange. We also hope that this experience will not turn you away from using bitcoin in the future. You are wrong, my password was not compromised. Anyway, if you have proof that someone gained access to my account, then why didn't you stop it, especially when the IP address was from the Ukraine? You will never become mainstream if users are required to use Yubikey and it's just a matter of time before another hack.
|
|
|
|
Anonymous
Guest
|
|
December 21, 2011, 06:57:30 AM |
|
amazingrando my friend! I am so sorry to hear that!
The person probably GOT your password from one of the pools you use. Most pools use mysql and they are really easy to do an injection attack and gain access - it's either that or a dishonest pool admin.
Either way those are far more likely to be true than MTGox being hacked.
I thought the same thing. The only reason I thought it might be Mt. Gox being hacked (besides other people having the same issue) is that the first change to any of my accounts was at Mt. Gox. Accessing my pool accounts came afterward. That was probably done intentionally to keep from raising red flags. Had you noticed suspicious activity or discovered your pool account hacked I'm sure (I hope) you would have changed passwords on any related websites. I'm very sorry that happened. You really should get a YubiKey. And never use the same password twice. Last pass is free. -> https://lastpass.com/That is what I use. I even pay for the premium service, not because I have too, but because I support them, because they make my life so much easier.
|
|
|
|
BinaryMage
|
|
December 21, 2011, 07:07:06 AM |
|
You are wrong, my password was not compromised. Anyway, if you have proof that someone gained access to my account, then why didn't you stop it, especially when the IP address was from the Ukraine? You will never become mainstream if users are required to use Yubikey and it's just a matter of time before another hack.
They have no idea where you live, and plenty of MtGox users use proxies and/or Tor, which makes the IP address essentially useless information. Speaking as someone who had their account hacked, I suggest you reconsider your statement that your password was not compromised. I thought that too, but it turned out I had unknowingly fallen for a phishing scam. Your password being compromised is a lot more likely than MtGox being hacked. If they were hacked, as they were in July, both we and they would know.
|
|
|
|
shakaru
Sr. Member
Offline
Activity: 406
Merit: 250
QUIFAS EXCHANGE
|
|
December 25, 2011, 08:08:54 PM |
|
This is why I just say stay away from MtGox. Your bitcoins are safer in a dogs house as atleast the dog would bark when soemthing dosent look right.
amazingrando I am sorry to hear about your loss. It seems that we all lose soemthing in Bitcoin at some point. I would advise from my own research and experiance that you only use an exchange to move btc to other currencies and not hold your coins there. Seeing how you already started that, then good for you. Also I would suggest using tradehill. MtGox has never hit the promised withdraw or transfer times on more than twice, and when I do have problems with TradeHill, they are only quick glitches and the staff is more than helpful.
|
|
|
|
amazingrando (OP)
|
|
December 26, 2011, 06:41:34 PM |
|
This is why I just say stay away from MtGox. Your bitcoins are safer in a dogs house as atleast the dog would bark when soemthing dosent look right.
amazingrando I am sorry to hear about your loss. It seems that we all lose soemthing in Bitcoin at some point. I would advise from my own research and experiance that you only use an exchange to move btc to other currencies and not hold your coins there. Seeing how you already started that, then good for you. Also I would suggest using tradehill. MtGox has never hit the promised withdraw or transfer times on more than twice, and when I do have problems with TradeHill, they are only quick glitches and the staff is more than helpful.
Thanks for the advice Shakaru. TradeHill has been quite good for me. The only reason I've been using Mt.Gox is that Dwolla works better for me than Paxum. But, maybe that's a small price to pay for a better exchange.
|
Bitbond - 105% PPS mining bond - mining payouts without buying hardware
|
|
|
zer0
|
|
December 30, 2011, 12:05:21 AM |
|
This is why I just say stay away from MtGox. Your bitcoins are safer in a dogs house as atleast the dog would bark when soemthing dosent look right.
amazingrando I am sorry to hear about your loss. It seems that we all lose soemthing in Bitcoin at some point. I would advise from my own research and experiance that you only use an exchange to move btc to other currencies and not hold your coins there. Seeing how you already started that, then good for you. Also I would suggest using tradehill. MtGox has never hit the promised withdraw or transfer times on more than twice, and when I do have problems with TradeHill, they are only quick glitches and the staff is more than helpful.
Thanks for the advice Shakaru. TradeHill has been quite good for me. The only reason I've been using Mt.Gox is that Dwolla works better for me than Paxum. But, maybe that's a small price to pay for a better exchange. You can use that service Bitinstant to buy into Tradehill with dwolla Or at least you could last time I checked
|
|
|
|
amazingrando (OP)
|
|
December 30, 2011, 05:32:22 AM |
|
Thanks for the advice. I'll check it out
|
Bitbond - 105% PPS mining bond - mining payouts without buying hardware
|
|
|
|