Mt. Gox hacked?

[amazingrando]

A few hours ago, someone was able to get into my Mt. Gox account, change the password and change the wallet address.  I have not be able to log in yet, but I assume that the a**hole that accessed my account took out my 225 btc that was in there.

Stupidly I also used the same password for a few of my pool accounts, which the hacker has since hijacked.

Has anyone else had a problem today?

Even if you haven't, be sure you're using a strong password and not using the same password among sites.

[amazingrando]

Update:

Here is the hacker's wallet ID:
1G4ij7kiUqpV8Cz3omtubLthM1Bmo9wmML

http://blockexplorer.com/q/getreceivedbyaddress/1G4ij7kiUqpV8Cz3omtubLthM1Bmo9wmML

Shows he took 238 btc from me.

[sturle]

Even if you haven't, be sure you're using a strong password and not using the same password among sites.

A Yubikey may be worth all your bitcoins.  Get one and use it.  At least for withdrawals.

[amazingrando]

A Yubikey may be worth all your bitcoins.  Get one and use it.  At least for withdrawals.

I made two critical mistakes: 1) leaving btc in Mt Gox as opposed to my encrypted wallet, 2) being lazy about sharing passwords.

You are right, though, I should have had a Yubikey.  Mt. Gox really should have some form of two factor authentication beyond the yubikey.

[amazingrando]

IP address the hacker used:

196.200.102.6

[cablepair]

amazingrando my friend! I am so sorry to hear that!

The person probably GOT your password from one of the pools you use. Most pools use mysql and they are really easy to do an injection attack and gain access - it's either that or a dishonest pool admin.

Either way those are far more likely to be true than MTGox being hacked.

[amazingrando]

amazingrando my friend! I am so sorry to hear that!

The person probably GOT your password from one of the pools you use. Most pools use mysql and they are really easy to do an injection attack and gain access - it's either that or a dishonest pool admin.

Either way those are far more likely to be true than MTGox being hacked.

I thought the same thing.  The only reason I thought it might be Mt. Gox being hacked (besides other people having the same issue) is that the first change to any of my accounts was at Mt. Gox.  Accessing my pool accounts came afterward.

[SgtSpike]

Sucks, that was a lot of money. 

[proudhon]

amazingrando my friend! I am so sorry to hear that!

The person probably GOT your password from one of the pools you use. Most pools use mysql and they are really easy to do an injection attack and gain access - it's either that or a dishonest pool admin.

Either way those are far more likely to be true than MTGox being hacked.

I thought the same thing.  The only reason I thought it might be Mt. Gox being hacked (besides other people having the same issue) is that the first change to any of my accounts was at Mt. Gox.  Accessing my pool accounts came afterward.

That was probably done intentionally to keep from raising red flags.  Had you noticed suspicious activity or discovered your pool account hacked I'm sure (I hope) you would have changed passwords on any related websites.  I'm very sorry that happened.  You really should get a YubiKey.

[jamesg]

amazingrando my friend! I am so sorry to hear that!

The person probably GOT your password from one of the pools you use. Most pools use mysql and they are really easy to do an injection attack and gain access - it's either that or a dishonest pool admin.

Either way those are far more likely to be true than MTGox being hacked.

I thought the same thing.  The only reason I thought it might be Mt. Gox being hacked (besides other people having the same issue) is that the first change to any of my accounts was at Mt. Gox.  Accessing my pool accounts came afterward.

That was probably done intentionally to keep from raising red flags.  Had you noticed suspicious activity or discovered your pool account hacked I'm sure (I hope) you would have changed passwords on any related websites.  I'm very sorry that happened.  You really should get a YubiKey.

And never use the same password twice. Last pass is free. -> https://lastpass.com/

[mixmastermine]

Amazingrando,

If you (or anyone else) need a Yubikey, I have a Mt. Gox code for a free Yubikey for sale for 6 BTC.

[bitfoo]

I thought the same thing.  The only reason I thought it might be Mt. Gox being hacked (besides other people having the same issue) is that the first change to any of my accounts was at Mt. Gox.  Accessing my pool accounts came afterward.

Tough luck, amazingrando! Would you care to reveal the pools you were using, so that other users of those pools can be on high alert, check their payout addresses, change their passwords, etc?

[proudhon]

Amazingrando,

If you (or anyone else) need a Yubikey, I have a Mt. Gox code for a free Yubikey for sale for 6 BTC.

Anyone know, can you have more than one YubiKey for the same account?

[casascius]

You are right, though, I should have had a Yubikey.  Mt. Gox really should have some form of two factor authentication beyond the yubikey.

I will say this though: the yubikey is going to save you from the vast majority of the attacks that are actually happening.

The Yubikey most certainly would have prevented this.

I hesitated to get a Yubikey, and then one day MtGox offered me a free one (probably since I made a rather large deposit).  Now that I have it, in retrospect, if I felt then how I feel about it now, I would have quickly paid for one.

[casascius]

Anyone know, can you have more than one YubiKey for the same account?

Do you carry more than one set of keys?  The YubiKey fits nicely on a keychain.

As a backup, you could always pop your Yubikey into a text editor and spit out a few one time passwords, print them, and carry them with you.  They can only be used sequentially, so the next time you really use your Yubikey, all of the prior ones will become void.  It kind of sucks to hand-key 30+ nonsense characters at once, but it's at least an option if you think you might be out in the boonies with nothing but a smartphone next time the price drops or something and you want to do some trading.

You could also e-mail yourself a large list of one-time passwords, and use them one by one via the clipboard.  Sure, that's somewhat less secure than using the physical key, but at least someone can't withdraw with them (withdrawal requires a one time password from a completely different secret key, which you get by holding the Yubikey button down for longer than 3 seconds)

[MysteryMiner]

Using the same password in multiple places is Your mistake. Probably Poll got hacked first. Or maybe dishonest pool operator took your bitcoins. Or maybe the password was sniffed from the pool because of lack or improperly implemented SSL. This is possible even if You system is 100% secure and malware free. Most windows computers today run by non-expert users are infected with one or another malware because of user error.

Lastpass is not 100% secure. Where is the guarantee that the lastpass does not keep all the passords provided? Better use KeePass software on Your computer to generate, store and backup the passwords.

Yubikey is overkill. If You computer and MtGox are safe, there is no need for one. If MtGox are hacked and database are accessed, the coins can be stolen anyway. I would love to have the key in my disposal just to play around with it, but I feel safe and know I'm safe without yubikey, because I take all precautions to keep all my coins safe on my computer and know how such things are done.

[notme]

If all the actors play nice it will be fine < Yubikey

Yubikey would have protected your account.

[amazingrando]

Tough luck, amazingrando! Would you care to reveal the pools you were using, so that other users of those pools can be on high alert, check their payout addresses, change their passwords, etc?

I have accounts on almost every pool.   The first pool I got a notice of a wallet change was deepbit.  Then slush, btcguild, and bitclockers.

I am going through accounts right now to see what others were compromised

[amazingrando]

Using the same password in multiple places is Your mistake. Probably Poll got hacked first. Or maybe dishonest pool operator took your bitcoins. Or maybe the password was sniffed from the pool because of lack or improperly implemented SSL. This is possible even if You system is 100% secure and malware free. Most windows computers today run by non-expert users are infected with one or another malware because of user error.

Lastpass is not 100% secure. Where is the guarantee that the lastpass does not keep all the passords provided? Better use KeePass software on Your computer to generate, store and backup the passwords.

Yubikey is overkill. If You computer and MtGox are safe, there is no need for one. If MtGox are hacked and database are accessed, the coins can be stolen anyway. I would love to have the key in my disposal just to play around with it, but I feel safe and know I'm safe without yubikey, because I take all precautions to keep all my coins safe on my computer and know how such things are done.

I would agree that a Yukibey isn't necessary.  It would have protected me in this case, but just not doing stupid things like sharing passwords across accounts would have helped.  I don't do a lot of withdrawals, so using the Yubikey wouldn't be that much of an issue.  I'll probably pick one up.  $18 for a Yubikey could have saved me $700 of losses.

Hope the guy who did this encounters some nasty bad karma

[MysteryMiner]

It would have protected me in this case, but just not doing stupid things like sharing passwords across accounts would have helped

Using unique and unrelated passwords are the golden rule of security. Some learn it in a hard way.

a Yubikey could have saved me $700 of losses.

Hope the guy who did this encounters some nasty bad karma

There is no such thing as karma. For what I have done, I'm pretty fine. Probably the guy who did this just jizzed his pants and monitor.