Just checked out their recover password page. Just date or birth and one security question are needed. So if you already know a person, pretty easy to hack their accounts.
There's no cooldown period when you guess wrong. They say there's a 24 hour cooldown, but there isn't one. You can keep guessing all day if you solve a captcha for every three guesses you make. Captcha cracking is a cheap offshorable service, $1 for a thousand
Agreed. I've been with many different email services, both free and paid, and GMX has never given me any impression as a secure service. It has too much of a side-project-run-by-some-web-hosting-company look and feel.
Anecdotal evidence, but there are lots of security-related complaints in a popular (albeit non-technical) review site:
I wouldn't be surprised if satoshi's account turns out to have been hacked years ago, and the culprits have been using it to buy expensive electronics with stolen credit cards. After all, the original pastebin said that the account details where already circulating in the black market. Only recently somebody might have realized that this was no ordinary hacked account.
Thunderbird, which I used almost exclusively at the time was unable to login, then I tried it via their website which didn't work.
I contacted support, and they told me that someone has changed the password and logged in since. They gave me the option to get my account back, by providing a scan of my ID or passport, which I did.
The hacker never contacted me. I do not know to this day what his or her goal was because the attacker didn't send or receive any emails with my account. I believe that the attacker got access to a large batch of accounts and he simply couldn't find a way to contact me via Internet. (I didn't use Facebook or other social services at the time)
> Did you have a secret question that could have been guessed?
I never used the secret question option on any service. Whenever I'm forced to enter something, I enter senseless garbage like "jkanshbuicbwnaiubdaibvjabfuzabfnbi" precisely because I think that secret questions are unsafe and dangerous.
> Do you know what phishing is? Would you have ever fallen for it?
Yes, but I have never shared the login data with anyone and when I logged in on other machines (which I did rarely) - I used a browser that I had on my USB stick for that (which was encrypted)
> Is it possible your saved password was stolen by malware?
I do not have any reason to believe that (I never had a malware problem that I know of), but obviously I could never rule that out. But on the other hand my GMX account wasn't really important. There were accounts that the attacker could have used to steal money from me (for example: PayPal), yet I have never lost access to any other account.
Like I said, I still can't rule out the possibility (nobody could), but I believe that I had a reasonable setup at the time. I used the GMX website (rarely) via a browser on my encrypted USB stick (which I still possess) and had a Thunderbird setup with POP3 at the time so I wouldn't have to login.
A keepass password should be prohibitively hard to brute force that way. They're random and fairly long. It's far more likely the attacker found some other route.
Recovery passwords for email accounts are actually kind of tricky, since the standard is generally recover-password-through-proof-of-control-of-email-account.
You can do SMS, but then you need phone numbers for users. Requiring "alternate email" is kind of a nightmare.
I wish someone could build a "account recovery as a service", with different levels of escalation. It would be fun to spec it out, but I have no time to actually set it up, since it's more a business vs. just some servers.
I suspect that this is not Satoshis fault, but that GMX security is really bad.