[paulhodge]

Fair point, most of the mistakes were on the author's part. MtGox isn't completely blameless, they had a cross-site scripting vulnerability, and they should probably enforce some stronger security around logins from new computers. Something like Steam's approach where every login from a new computer needs to be verified with a confirmation code.

[RyanZAG]

There is no evidence of any cross-site scripting vulnerability - it's a standard case of 'user executes malicious code with full user rights'. If anybody is to blame for that, it's Oracle for letting users shoot themselves in the foot with an 'OK' dialog that all Windows users just click OK on anyway.

MtGox could help prevent this with something like Steam's approach, but once the user has run malicious code there is not much stopping that code from also compromising his email account. Two factor authentication would help here, and MtGox does appear to offer this - the complainer just didn't use it.