Bitcoin Forum
December 11, 2016, 04:21:39 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: MtGox account got cleared out  (Read 2085 times)
mooony
Newbie
*
Offline Offline

Activity: 2


View Profile
June 05, 2012, 06:27:47 AM
 #1

Hello i've been following bitcoin and lurking this forum since the start of the bitcoin bubble.

Yesterday i received an email stating that i had requested a withdrawal when i had in fact not logged in for close to two months. I accessed my account to find that two hours prior, someone had accessed my account, bought all the btc he could with what little cash i had left and withdrew all the btc from my account(roughly about ~30, a small amount but all the btc i have).

it seems i'm short on luck as my support request was replied with this email:
Quote
Hello,

We are sorry for your loss. Unfortunately, we can not refund any amount of the stolen funds. While this is extremely disappointing news, it is unavoidable. Issuing a direct refund is not possible as there is no way of proving that your account was in fact compromised, or that it was the Mt.Gox database leak that caused this to happen. As a business if Mt.Gox were to offer you a cash or bitcoin refund in compensation of this extremely unfortunate event, there would be a large increase in the number of hacking attempts to capitalize upon the possibility of financial reward.

As a further remedy, we would like to suggest that you file a police report for the stolen goods. It is preferable for the police to inspect your computer, but not necessary. Once this investigation has occurred and a copy of the police report issued, please send a copy of it along with a notarized copy of your passport or Government issued photo ID to Mt.Gox.

Please let us know how you wish to proceed, and again we apologize for the frustration and inconvenience caused.

Thanks,

MtGox.com Team


anyone have any idea what i can do now?



also it seems someone else got hacked as well:
https://bitcointalk.org/index.php?topic=80562.msg941759#msg941759
1481430099
Hero Member
*
Offline Offline

Posts: 1481430099

View Profile Personal Message (Offline)

Ignore
1481430099
Reply with quote  #2

1481430099
Report to moderator
1481430099
Hero Member
*
Offline Offline

Posts: 1481430099

View Profile Personal Message (Offline)

Ignore
1481430099
Reply with quote  #2

1481430099
Report to moderator
1481430099
Hero Member
*
Offline Offline

Posts: 1481430099

View Profile Personal Message (Offline)

Ignore
1481430099
Reply with quote  #2

1481430099
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
ThomasV
Legendary
*
Offline Offline

Activity: 1722



View Profile WWW
June 05, 2012, 06:38:52 AM
 #2

anyone have any idea what i can do now?

any idea how the attack was possible?
did you use a strong password? yubikey?

Electrum: the convenience of a web wallet, without the risks
matthewh3
Legendary
*
Offline Offline

Activity: 1372



View Profile WWW
June 05, 2012, 06:43:41 AM
 #3

I think some passwords were hacked on the GLBSE too.  It's always best not to reuse the same password on different sites.

julz
Legendary
*
Offline Offline

Activity: 1092



View Profile
June 05, 2012, 06:55:21 AM
 #4

As a matter of course, MtGox should be providing victims such as yourself with the IP addresses, logs/timestamps etc of recent accesses to your account.
If you are to file a police report, you should have all the relevant information about the unauthorised access to your account.



@electricwings   BM-GtyD5exuDJ2kvEbr41XchkC8x9hPxdFd
caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile
June 05, 2012, 07:33:15 AM
 #5

As a matter of course, MtGox should be providing victims such as yourself with the IP addresses, logs/timestamps etc of recent accesses to your account.

Plus, they should allow users to set limit to themselves.
Like a preferences page where I set maximum withdraw amounts per day and per week to myself. If I want to change these preferences by increasing the amounts, the change will only take effect like 48 hours later. And every change in these preferences are notified by e-mail, as every withdraw of any amount.

This way losses can be limited in cases such as this.

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
mooony
Newbie
*
Offline Offline

Activity: 2


View Profile
June 05, 2012, 10:02:05 AM
 #6

anyone have any idea what i can do now?

any idea how the attack was possible?
did you use a strong password? yubikey?


really no idea, i only accessed mtgox onced from a hotel's network once and i have changed my password after that due to to database leak.not
 the strongest, 10 random alphanumeric. no caps either. nope no yubikey =/

I think some passwords were hacked on the GLBSE too.  It's always best not to reuse the same password on different sites.

this is the only bitcoin related site that i have used this password on. granted i used the password on 2 other sites but they seem to be unaffected.


i may file a police report but honestly i don't really see the point.

ThomasV
Legendary
*
Offline Offline

Activity: 1722



View Profile WWW
June 05, 2012, 10:09:31 AM
 #7

this is the only bitcoin related site that i have used this password on.

what does "this" refer to? mtgox or glbse?

Electrum: the convenience of a web wallet, without the risks
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2002



View Profile
June 05, 2012, 10:54:22 AM
 #8

In another thread where there was a Mt. Gox account that got compromised, TT had just made some suggestions:

Withdrawal to bitcoin address is the exchange function/API call that is most prone to theft.
Other withdrawal methods have at least some level of traceability and/or reversibility.

Therefore, I propose the following solution:
1) create a completely separate right for both the web and the API for withdrawal to bitcoin address, separate from all the other withdrawal methods.
2) allow the owner of the account to have a whitelist of bitcoin addresses to which it is allowed to withdraw from both the web AND the API.
3) require two-factor authentication for adding or removing addresses to and from the whitelist. [Update: Mt. Gox just added this.]

This simple feature means that even in the event of an attacker gaining access to the user's web dashboard or the user's API keys,
the attacker will not be able to withdraw bitcoins to addresses of his choice.

Simple fix to a significant security risk.


And in yet another thread where there was a GLBSE account that got compromised, TT made his appeal to them as well:

Please, exchanges, implement this SOON. You cannot implement it soon enough.

coin_toss
Member
**
Offline Offline

Activity: 118


View Profile
June 05, 2012, 03:01:34 PM
 #9

Just goes to show MtGox is still not a safe place to store funds long term, and especially without a yubikey
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!