At least it is the same CA, DigiCert (AFAIK). DigiCert has fairly high standards so they probably examined closely when a different org requested an EV cert for that domain. For what that's worth.
Yes, you're probably right, I just recall very clearly that they had emphasized in all of their security warnings to check for the certificate from Tibanne Co, and the current certificate is not.
I don't know how their infrastructure works, but if they use your password to unlock your wallet this could be a phishing attack. Either way, the money is probably as good as gone anyway.
This was what I was thinking, there were the folks who hacked the place and dumped out the data and scribbled on Carpeles log, what better way to get the passwords to peoples wallets then to put up a phish on MtGox's own servers and have anxious users provide it. People log in, give their password, check their wallet and then poof all the coin gets moved out somewhere else. Seems pretty doable if you already have control of their infrastructure.
I have an interesting question. Currently my AUD$ balance is displaying as $0. However in December and Febrary I had asked to withdraw $1,000 and ~$400 to my Australian bank account. Those transfers were taken from my balance, but merely sat as 'confirmed' rather than 'processed'. What happened to my money?
They also removed deposits and withdrawals (sorry for being snarky... I do understand you probably feel violated again now that your balance information is available to anyone who had half of the security info that used to protect it)
But, there is no further danger that your login will be used to steal funds from your account.
I have low hopes for retrieving my 0.00770912 BTC that were in there (I really don't know why I even had that much in there, but upon logging on... it seems I may have).
But at the same time, I didn't see this page coming. I wonder why its there? What would one do with this knowledge except feel uncomfortable?
The smart money is on at least one person whose job description is Serious Business and was in a position of authority said "Wait, you owe people hundreds of millions of dollars... and that fact is only recorded by you, on a system which is currently inaccessible to the creditors? And they don't have paper statements or anything? OK, that gets fixed. TODAY. No, your reason for not doing it is not a reason not to do it."
Now that I think of it... if you had used this as an "investment", could you take it as a loss on your taxes?
UPDATE: Checked with accountant, he's checking into it more, but very likely that you could take it as a casualty/theft loss for 2014. Will update more later.
I am 95% sure that I never sent them a passport scan. I remember getting as far as scanning it into my computer before my "what-the-fuck-am-I-about-to-do-ometer" went haywire. But it was a long time ago and I can't be 100% sure that I didn't send it to them. I'd really like some way of finding out.
The only email I ever got from them was a "thanks for registering, please confirm your email address" email, so I think that means I never took it past that point (there's no "thanks for verifying your identity" email).
I wouldn't touch this with a ten foot pole. The Gox code and DB where accessed, who's to say some hackers aren't recording your password and now your email is compromised too?
EDIT: No 2FA, no https, and all data shown has already been stolen by hackers. I'm assuming it's probably real, but still -- be careful.