All BTC disappeared from my Mt. Gox account

[coinminers]

Last week I sent a notice to Mt Gox about money that disappeared from my account.

This is the note I sent them:

--
Hello,

I'm inquiring about the transaction below:

2012/06/01 16:47:36   Withdraw    125.39000000 BTC   0.00000000 BTC
Bitcoin withdraw to 12pgtNq8A67Si6RwGa4ccjUVGJnjuiiU3z

I never initiated a transaction like that so I'm wondering where that money went?
--

This is what they replied:

--
Hello,

We are sorry for your loss. Unfortunately, we can not refund any amount of the stolen funds. While this is extremely disappointing news, it is unavoidable. Issuing a direct refund is not possible as there is no way of proving that your account was in fact compromised. As a business if Mt.Gox were to offer you a cash or bitcoin refund in compensation of this extremely unfortunate event, there would be a large increase in the number of hacking attempts to capitalize upon the possibility of financial reward.

As a further remedy, we would like to suggest that you file a police report for the stolen goods. It is preferable for the police to inspect your computer, but not necessary. Once this investigation has occurred and a copy of the police report issued, please send a copy of it along with a notarized copy of your passport or Government issued photo ID to Mt.Gox.

Please let us know how you wish to proceed, and again we apologize for the frustration and inconvenience caused.

Thanks,

MtGox.com Team
--

Is this normal??

[rgm3]

make sure, that your password is changend now.

seems very unfortunate but i think someone got your password and did a payout to his own address

[AndrewBUD]

Ouch that sucks.. I use similar passwords on sites but rarely the same... The exchange I use requires email verification everytime I log in.

[Stephen Gornick]

A lot of that going on.

"MtGox account got cleared out"
 - http://bitcointalk.org/index.php?topic=85533.0

Another:
 - http://bitcointalk.org/index.php?topic=80562.msg941759#msg941759

And another:
"My mtgox account got compromised, what can I do?"
 - http://bitcointalk.org/index.php?topic=84585.0

And on other services as well.  Here same thing happened to some GLBSE users:
 - http://bitcointalk.org/index.php?topic=84893.0

In none of these was the person using multi-factor authentication.  Mt. Gox has had Yubikey support for a while.  Mt. Gox accounts now support Google Authenticator:
 - https://mtgox.com/press_release_20120605.html

[coinminers]

Thanks everyone for the input, is there no way for me to get MtGox to help out a little bit more? I mean they have IP information, logs etc., no?

[stevegee58]

Do what they suggested and file a police report.  Gox won't tell you the perpetrator's IP address or anything else.  They'll only divulge that with a court order or law enforcement request.  It's your only hope.

Unless you have a really compelling reason to use them, you should avoid using exchanges.

[coinminers]

I see. I will sure as hell not use Mt Gox anymore.

My computer is safe, so is my password, I did not use this password on other sites, and I see no way how someone could have obtained it through fault of my own!

This really sucks!

[Kazimir]

coinminers, would you mind sharing what password you used for your Mt. Gox account? (assuming you changed your password in the mean time, if not, DO IT NOW)

I'm curious as to how (un)likely it is that somebody hacked guessed  it.

Do what they suggested and file a police report.  Gox won't tell you the perpetrator's IP address or anything else.  They'll only divulge that with a court order or law enforcement request.  It's your only hope.

That is actually pretty darn lame from them, not to mention extremely customer unfriendly

If the account owner did the transaction himself, there is no reason not to share the IP (i.e. his own) from which the withdrawal was issued.
If someone else did, that's a very obvious reason (or even duty) to share the IP to the actual account owner.

Shame on you, Mt Gox. Another reason why I will trade ZERO bitcoins with you.

[mollison]

Unless you have a really compelling reason to use them, you should avoid using exchanges.

Why do you say this?

[stevegee58]

If the account owner did the transaction himself, there is no reason not to share the IP (i.e. his own) from which the withdrawal was issued.
If someone else did, that's a very obvious reason (or even duty) to share the IP to the actual account owner.

They won't and they shouldn't.  Think about it.  What would you do with someone's IP address if you had it?  Suppose they told you the IP address and you somehowtracked down the perpetrator and killed him.  Think of the liability that opens Gox (or any other business) up to.

Leave law enforcement to the police.

[AndrewBUD]

Depending where you are I doubt the police will do much about it, But you will have proof you made a police report....

[stevegee58]

Depending where you are I doubt the police will do much about it, But you will have proof you made a police report....

I agree they probably won't have much chance of getting OP's BTC back.  But here's a chance to look in the mirror and do some soul searching about BTC.  Maybe OP shouldn't have put so much in BTC that it hurts to lose it.  After all we're in a Wild West phase of BTC's development.  We're seeing scalability problems already from satoshidice for instance.

When you suffer a loss like this don't expect a bail-out.  I know it seems like everyone expects to get a check every time something bad happens to them.  But like I said it's the Wild West.

[Kazimir]

They won't and they shouldn't.  Think about it.  What would you do with someone's IP address if you had it?  Suppose they told you the IP address and you somehowtracked down the perpetrator and killed him.

In that case email headers shouldn't contain IP addresses either.

The probability of someone actually killing someone for stealing bitcoins, based on their IP alone, seems to be insignificantly small to me.

Leave law enforcement to the police.

Funny. I don't know where you are from, but here in Europe, the police DON'T DO SH!T about theft whatsoever. Let alone "theft" (they won't even call it that) of information which is not a tangible asset.

Crypto money, you say? Sounds like WoW gold to them. The probability of the police actually tracking down and prosecuting someone for stealing bitcoins, based on their IP, is exactly 0.000000000000000%

[electronus]

I've got the same situation. All my usd amount was traded for btc, and then btc was withdrawed 
just before was used Opera with Turbo function enabled
and somebody in Sweden stole my mtgox password
consider this as unavoidable situation  because I've got the same email answer from mtgox
can you publish here an IP address from where your funds was withdrawed?
and also consider to keep your btc on your pool or standalone wallet, and use mtgox only for trade and immediate withdraw for a limited amount of time, not for keeping btc or usd

[jbcmine]

My computer is safe, so is my password, I did not use this password on other sites, and I see no way how someone could have obtained it through fault of my own!

I doubt your computer is as safe as you think!

[coinminers]

They won't and they shouldn't.  Think about it.  What would you do with someone's IP address if you had it?  Suppose they told you the IP address and you somehowtracked down the perpetrator and killed him.  Think of the liability that opens Gox (or any other business) up to.

I myself co-own a business that supplies an online service and when our customers need IPs of people who have bid in their auctions, we will supply that information every single time, no questions asked, and 0 murders so far.

If I told any of my clients that I'm afraid they may kill the person whose IP I supply, then that would likely be the last interaction I would had had with that client.

[stevegee58]

I myself co-own a business that supplies an online service and when our customers need IPs of people who have bid in their auctions, we will supply that information every single time, no questions asked, and 0 murders so far.

Still begs the question: what will someone do with an IP address?  It's actually a useless piece of information anyway.  It's already been decided in US courts that an IP address cannot be used to identify an individual person, only a household.

ISPs like Comcast do hold onto IP address info for some months but will only release customer info under court order, not to individuals.

[electronus]

stevegee58 not for hunting purpose  ,
but you can always use ripe or other nic to resolve country of origin
in my situation thats was Sweden and after nic tinkering I've linked leak of password with Opera Turbo mode, because they use Sweden-based servers as well 

[coinminers]

Still begs the question: what will someone do with an IP address?  It's actually a useless piece of information anyway.  It's already been decided in US courts that an IP address cannot be used to identify an individual person, only a household.

ISPs like Comcast do hold onto IP address info for some months but will only release customer info under court order, not to individuals.

Well, how about figuring out, for starters, if someone maybe logged into the computer at my office and did it from there,or if it's a complete stranger? In the former case I would be willing to accept more responsibility than in the latter.

What if they can't supply any IP records at all? Wouldn't that open MtGox up to questioning? What if someone did this stuff from THEIR backend. Wouldn't they then be liable for some kind of damage control?

I think there is a lot that can be gathered from IP records, at least much more than filing, out of all things, a POLICE report.

[Kazimir]

Anyone capable of guessing a password is probably also clever enough to use TOR + VPN + a chain of proxies to withdraw the funds. Still, it is retarded of Mt. Gox not to share this information with their customers.

Still wondering:

coinminers, would you mind sharing what password you used for your Mt. Gox account? (assuming you changed your password in the mean time, if not, DO IT NOW)

I'm curious as to how (un)likely it is that somebody hacked guessed  it.

And same for electronus:

and somebody in Sweden stole my mtgox password

Could you reveal the password that got stolen? Also, of course, assuming you changed it in the mean time.

It would be helpful for others to see what is NOT a good password (not meant to ridicule you guys but as an honest advice and lesson for others).