MT.Gox account hacked - lost 2k USD - MT.GOX will not explain how.

[bitcoinBull]

Use 2-factor to help prevent this from happening to YOU. Its not hard, see my guide here.

[1713451542]

1713451542

[1713451542]

1713451542

[1713451542]

1713451542

[1713451542]

1713451542

[fabrizziop]

It could have to do with the cuevana plugin leak. Anyways google authenticator is really really nice.

[Marco Polo]

If you trade more than $150 USD it is worth it to invest in a Yubikey, IMHO. I have other issues with MtGox, but getting hacked is the least of my concerns.

i don't have a yubikey, but my password is something similar to jfdsaMFDasjm#R$MnVMXCL:m43mMVL:XJOP%$#mvc

Thats not enough for alot of attacks. You need to use 2-factor authentication

[sippsnapp]

I would bet it was a keylogger on your pc. Malicius software is easy to FUD for about 1-2 weeks. The topic about popup windows is that they could redirect to exploit kits which spawn a keylogger or bot.
If thats true most probably all passwords in your broser have been logged in the time your machine has been compromised.
I see no other option as if mtgox would have been hacked the damage would be known by now, it defenetly seems to be on your end.
Cant often enough recommend to use a virtualbox/vmware for any untrusted applications.

Concerning the reaction from mtgox i dont have an optinion.

[Ghostofkobra]

I have to disagree with you saying its not a fair request to disclose how your funds got removed because if there "an easy way" or undisclosed hack they shouldn't release that information to protect other accounts.For the Greater Good of all.

The Lowest hanging fruit are always picked first. Accounts only protected by passwords are easy targets.

Plus sometimes the Japanese to English might not have translated correctly from the people you talked to.

So the account "not logged in" part might be a mistranslated, i've talked with alot of non-native english speakers and sometimes it just comes out wrong.

If this was a hack, the hacker would be getting as many accounts emptied as possible before the hole was closed.


Per MtGox As a reminder we assume no responsibility should your funds be stolen by someone using your own password.

Sorry for the late reply.

I disagree with you, if there is a hack they should plug it and then admit it...

The account logged on was not misstranslated since they sent me the login logs (no Ip's but time and dates) for the weeks around the withdrawal.
After i pointed out that there were no login at the time of the withdrawal, they started answering:
  We only talk to the police.

I think it talks for itself that something is not right.

[Ghostofkobra]

If you have a police report you can request us to forward the details to the police. We'll need a case number and details on the law enforcement in charge (person in charge, etc) to forward the appropriate details.

I am sorry that i answered this post so late,
But i am so disgusted with this issue that i done look at this thread.

I filed a police report and got a decision back 2 days before your post.

It is nice of you to offer to forward information but the police did not open an investigation because:

             "The crime can obviously not be investigated."


But if you read this could you please tell me how the money was removed when noone logged on to my account (according to the logs mtGox) sent to me?
And why the support never answered that question and just started referring to "we only give information to the police" as soon as i asked it?
Which is the same as you are doing.


/GoK

[deepceleron]

These may be trades executed with the API: https://en.bitcoin.it/wiki/MtGox/API/Streaming

One should investigate if API trades do not show a login, and if they don't, then that is likely the method used.

It is very possible that someone found a way to exploit persistent data, cookies, or some other way that a users session or identity can be hijacked in the MtGox interface.

[yuhannl]

My account was somehow hacked in on the 5th of Oct, where a large number of transactions (2600) occurred within a 30 min window. All of these transactions were for buy & sell orders that ultimately cleared my account down to less than 1c.

As per OP, notifying Mt Gox yields a response requesting me to file  report with police,etc.,and we all know what means.

Except for logging onto the account, 2 factor auth have been used.

I suspect there's some serious flaw in the APIs that could have caused this.

I'm requesting login logs from mt Gox to see what they come back with.

/edit - just to note that I do not have any API keys and have 2 factor auth for withdraw and security center. So if they could execute trades via API without being able to create an API Key then there are some serious flaws!

[sippsnapp]

Beside the api thing, did you guys use a wireless lan connection?
If somebody logged in from your ip its just logical that there cant be logs except for the mac address and even that can be spoofed.
An attacker can indeed hack the wlan network and from there into your pc, and no, this is not fiction.

[yuhannl]

Beside the api thing, did you guys use a wireless lan connection?
If somebody logged in from your ip its just logical that there cant be logs except for the mac address and even that can be spoofed.
An attacker can indeed hack the wlan network and from there into your pc, and no, this is not fiction.

Totally agree that's no fiction, and whilst I cannot comment for the OP, I find it hard to understand how someone could hack my pc (no PC anyway), hack my iphone, hack google authenticator, change API security, create API keys and then execute 2600 transactions.

[yuhannl]

These may be trades executed with the API: https://en.bitcoin.it/wiki/MtGox/API/Streaming

One should investigate if API trades do not show a login, and if they don't, then that is likely the method used.

It is very possible that someone found a way to exploit persistent data, cookies, or some other way that a users session or identity can be hijacked in the MtGox interface.

Marcus from Mt Gox have responded back saying they are not able to differentiate whether trades are executed via API or not. Given there were 2600 transactions on my account over a mere 30 mins, I cannot see that being executed manually.

I have also asked for login logs for my own account (without saying whether I need to see IP addresses or not), and have been declined due to their privacy policy.

I'm seeking further clarification on exactly which part of the privacy policy is he referring to.

[yuhannl]

These may be trades executed with the API: https://en.bitcoin.it/wiki/MtGox/API/Streaming

One should investigate if API trades do not show a login, and if they don't, then that is likely the method used.

It is very possible that someone found a way to exploit persistent data, cookies, or some other way that a users session or identity can be hijacked in the MtGox interface.

Marcus from Mt Gox have responded back saying they are not able to differentiate whether trades are executed via API or not. Given there were 2600 transactions on my account over a mere 30 mins, I cannot see that being executed manually.

I have also asked for login logs for my own account (without saying whether I need to see IP addresses or not), and have been declined due to their privacy policy.

I'm seeking further clarification on exactly which part of the privacy policy is he referring to.

After I posed the question on which part of the privacy policy he's referring to, he's now replied saying he's going to have this checked with their developer and get back to me.


Marcus, Oct 15 20:51 (JST):
Hello Yuhann,

I will have this checked with our developer and we will get back to you.

Thanks,

MtGox.com Team


Yuhann Liu, Oct 15 20:28 (JST):
Hi Marcus,

Sorry to dig further.

This appears to be very inconsistent to others who requested for this information and have received them.

Can you refer me to which part of the privacy policy that states you cannot disclose the login times of my own account? I have it open right now.


Regards,


Sent from my iPad


Marcus, Oct 15 20:10 (JST):
Hello Yuhann,

We will not be able to provide the information as per our privacy policy and we will not be able to differentiate the API trades and you have also advised that this you have not used an API before.

Thanks,

MtGox.com Team


Yuhann Liu, Oct 15 20:04 (JST):
Marcus, are you able to advise reason behind not being able to supply me with access logs of my own account?

[Meizirkki]

Why isn't anybody saying it??

Mt.Gox is the "hacker" here.

[Desolator]

Beside the api thing, did you guys use a wireless lan connection?
If somebody logged in from your ip its just logical that there cant be logs except for the mac address and even that can be spoofed.
An attacker can indeed hack the wlan network and from there into your pc, and no, this is not fiction.

Your MAC isn't exactly exposed to websites you connect to.  That's how network work.  If someone logged in from his IP, it would show that someone logged in from his IP, which did not happen.  Also, that is stupid to say that someone can get control of someone's PC just because they "hacked" the wireless network, which you said wasn't secured in this example so not a lot of hacking would go on, lol.  Windows 7 has network discovery and file sharing turned off by default so no, it's not quite that simple.  Plus, the PC would still have an antivirus.  Plus, two people that live within wireless range of each and one being a "hacker" and both using bitcoins is astronomically improbable.

[sippsnapp]

Beside the api thing, did you guys use a wireless lan connection?
If somebody logged in from your ip its just logical that there cant be logs except for the mac address and even that can be spoofed.
An attacker can indeed hack the wlan network and from there into your pc, and no, this is not fiction.

Your MAC isn't exactly exposed to websites you connect to.  That's how network work.  If someone logged in from his IP, it would show that someone logged in from his IP, which did not happen.  Also, that is stupid to say that someone can get control of someone's PC just because they "hacked" the wireless network, which you said wasn't secured in this example so not a lot of hacking would go on, lol.  Windows 7 has network discovery and file sharing turned off by default so no, it's not quite that simple.  Plus, the PC would still have an antivirus.  Plus, two people that live within wireless range of each and one being a "hacker" and both using bitcoins is astronomically improbable.

Havent been into this soo much but not so long ago you could exploit wps routers with a reaver attack bruteforcing the key what exactly took 16 hours. WEP takes 15 minutes, idk but i can imagine there are ways nowadays to bruteforce wpa2 effectively. One minute on google got me this: http://technicdynamic.com/2011/12/hacking-wpa-2-key-evil-twin-no-bruteforce/

So much about win 7 is safe: http://arstechnica.com/security/2012/09/critical-zero-day-bug-in-microsoft-internet-explorer/

[Desolator]

There have been Mac and Linux viruses.  There have been Firefox and Chrome vulnerabilities.  If you're not an idiot, you won't catch a virus in Windows.  I use Firefox with noscript for most surfing and keep my plugins updated.  I actually disabled the Adobe Reader plugin completely so it uses FTP to load a PDF file like it should.  If a virus does manage to jump onto my system, my AV will likely catch it as it executes.  If it doesn't, I pretty much remove viruses for a living so no problem there.  If it damages my system irreparably in the process, I have a system image backup that's never very old.  Tada, safe.

[Zeeks]

This smells like a borrowed browser session. Someone is probably getting access to your sessions using a virus (or less likely over your own wireless connection) and therefore they never did log in to your account, you logged in and they held onto that session and then used it later. Because of this, for all intents and purposes as far as MtGox could possibly tell it was you who withdrew the funds.

Most sites which deal with money (like online banking) protect against this by having forced log off of your account if you are inactive for more than a few minutes. That way even if someone tried to hijack your session it would be far too late to actually use it.

[yuhannl]

After a bit of back & forth eventually MtGox gave in and shown me the login logs. Whoever hacked in has managed to logon after 3 attempts, so I suspect they've drawn from the passwords I have used on one of the Bitcoin sites which I won't name here. It seems that they could either 1) withdraw funds from my account if it wasn't protected or 2) use my account to somehow manipulate the market or 3) simply to trade the account "out".  (2600 transactions in 30 mins can't be manual).

I haven't really dug into the info that much, but can someone tell me whether it's possible to trade using API without generating an API code on Mt Gox?

[deepceleron]

Some pool is probably exploited and doesn't know it. There have been several sites that have previously disclosed intrusions. Where else did you use your mtgox password, you must discover the source of the hack (and not use the same password twice!)

[deadserious]

I've got no money or coins on Mt. Gox at the moment, but this thread reminded me to turn on two factor authentication.

I'll feel much safer for my next transaction.