Re: 24 BTC stolen from my bitstamp account 2FA and email confirmation protected
Most likely a login session on the phone was not terminated, so hacker simply re-enter bitstamp and at the same time email account is usually auto-login, no 2FA is required
There is a weakness from bitstamp's side: You don't need 2FA code for withdraw. Since usually your email session is always logged in, once a malware took control of the device, he only need to wait until you logged into bitstamp
I just checked my computer, my email session is always automatically logged in, so it is also possible a malware can withdraw all my coins when I logged into bitstamp. Scary but true
There is a weakness from bitstamp's side: You don't need 2FA code for withdraw. Since usually your email session is always logged in, once a malware took control of the device, he only need to wait until you logged into bitstamp
I just checked my computer, my email session is always automatically logged in, so it is also possible a malware can withdraw all my coins when I logged into bitstamp. Scary but true
this seems like the most likely to me. it bypasses 2fa and if they already had your email it would be easy. wait till you log in to bitstamp, initiate withdrawal, confirm the email.
if it is from inside bitstamp it's very scary thought to have.