No software installed to process OTP and my phone was never directly connected to my computer. I connect my phone to my wireless router for its internet speed when I needed to download apps like Google Authenticator. The phone itself was never used to trade, I only traded via the PC.
Thanks for the details. What about the thought of having typed the Google Authenticator OTP setup seed into a text file (or email, etc.) on the computer, as a way to keep a personal copy of the information in case it was needed later?
If someone did not manage to get your withdrawal credentials, then your report could reveal a new intrusion into Mt. Gox's servers. Despite the 2FA, an attack could still be from outside the company (unless Mt. Gox has really outdone itself with thoroughly secured login/withdrawal processing).
BTW, does anyone know how long Mt. Gox restricts withdrawals to a given GA OTP, and especially whether the site allows reuse of a prior "OTP"? In the recent past at least, they certainly did not strictly adhere to the standard 30-second window. (Conceivably a man-in-the-middle attacker could take advantage of such weaknesses.)
No backups since I didn't think it was needed even if I did somehow lose access to the keys. I recall Mt. Gox gave an option to unlink keys where they lock down your account for 2 weeks and repeatedly email you to verify that the real owner made the request.
As I've used my account earlier this week and never received such emails, I don't think this was the attack vector.