Bitcoin Forum
March 28, 2024, 10:55:00 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: ALL mtgox password has been compromised, change asap, everywhere you used it  (Read 17563 times)
kokojie (OP)
Legendary
*
Offline Offline

Activity: 1792
Merit: 1003



View Profile
June 19, 2011, 07:31:28 PM
 #1

https://rapidshare.com/#!download|359tg2|1969319443|accounts.csv|4023

All mtgox account password has been dumped in their hashed form (can be downloaded from the above link), passwords are being cracked as we speak. Change them asap, anywhere you used it.

btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
Make sure you back up your wallet regularly! Unlike a bank account, nobody can help you if you lose access to your BTC.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711623300
Hero Member
*
Offline Offline

Posts: 1711623300

View Profile Personal Message (Offline)

Ignore
1711623300
Reply with quote  #2

1711623300
Report to moderator
1711623300
Hero Member
*
Offline Offline

Posts: 1711623300

View Profile Personal Message (Offline)

Ignore
1711623300
Reply with quote  #2

1711623300
Report to moderator
1711623300
Hero Member
*
Offline Offline

Posts: 1711623300

View Profile Personal Message (Offline)

Ignore
1711623300
Reply with quote  #2

1711623300
Report to moderator
BioMike
Legendary
*
Offline Offline

Activity: 1658
Merit: 1001


View Profile
June 19, 2011, 07:35:18 PM
 #2

I wonder how they were able to get it?

SQL injection?
Man From The Future
Sr. Member
****
Offline Offline

Activity: 371
Merit: 250



View Profile
June 19, 2011, 07:37:24 PM
 #3

I wrote an MMOG backend with better password security than MtGox. Sad
(Two times SHA512 hashes needed to be cracked to find a user's password)

THE ONE STOP SOLUTION FOR THE CRYPTO WORLD
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
Facebook   /  Twitter   /  Reddit   /  Medium   /  Youtube   /
      ▄▄█████████▄▄
   ▄█████████████████▄
  █████▀▀  ███  ▀▀█████
 ████     █████     ████
████     ███████
███▀    ████ ████
███▄   ████   ████
████  ████▄▄▄▄▄████  ████
 ███████████████████████
  █████▄▄       ▄▄█████
   ▀█████████████████▀
      ▀▀█████████▀▀

▄██▀▀▀▀▀▀▀▀▀▀▀▀▀██▄
▄██▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀██▄
▄█▀                       ▀█▄
▄▄▄▄ ▄█                           █▄ ▄▄▄▄
█   ███▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀███   █
▀▀█▀                                 ▀█▀▀
▄▀                                     ▀▄
▄▄▀▄▄▄▄                                 ▄▄▄▄▀▄▄
█       ▀▀▄                           ▄▀▀       █
█          █                         █          █
█▀▀▄▄▄▄▄▄▄███▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀███▄▄▄▄▄▄▄▀▀█
▒▀▄       ██▀▀▀▀▀▀▀▀▀▀▀▀█▀█▀▀▀▀▀▀▀▀▀▀▀▀██       ▄▀▒
▒█▀▀▀▀▄▄  █              ▀              █  ▄▄▀▀▀▀█▒
▒█      █ ▀▄                           ▄▀ █      █▒
▒▀▄▀▄▄▄▄▀  █▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀█  ▀▄▄▄▄▀▄▀▒
▒▒▒▀▄▄▄▄▄ █                             █ ▄▄▄▄▄▀▒▒▒
 ▒▒▒▒▒▒▀▀▀▀▀▄▄▄▄▄▄███████████████▄▄▄▄▄▄▀▀▀▀▒▒▒▒▒▒▒
██
██
██
██
██
██
██
██
██
██
██
██
dooglus
Legendary
*
Offline Offline

Activity: 2940
Merit: 1327



View Profile
June 19, 2011, 07:39:48 PM
 #4

The front page of mtgox is redirecting to something showing this now:

Quote
UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS

We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible.

It also says "One account with a lot of coins was compromised" and "Apart from this no account was compromised, and nothing was lost".  If that's true, how did everyone's password hashes end up on the Internet for public download?  Something fishy is going on.

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
Steve
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1007



View Profile WWW
June 19, 2011, 07:40:21 PM
 #5

I use a customized version of passwordmaker.org ...this let's me hash together one master password with various other details to generate completely unique usernames and passwords for every single online account that I have.  I sleep easy knowing that if my password on one service (like mtgox) has been compromised, that my password (or username) is not compromised on other services.  I highly recommend it (it can be a little inconvenient though).

(gasteve on IRC) Does your website accept cash? https://bitpay.com
RandyMarsh
Full Member
***
Offline Offline

Activity: 237
Merit: 100



View Profile
June 19, 2011, 07:42:04 PM
 #6

If this was Facebook I would not like this at all

Stan?! STAN?!?!
kokojie (OP)
Legendary
*
Offline Offline

Activity: 1792
Merit: 1003



View Profile
June 19, 2011, 07:42:52 PM
 #7

The front page of mtgox is redirecting to something showing this now:

Quote
UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS

We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible.

It also says "One account with a lot of coins was compromised" and "Apart from this no account was compromised, and nothing was lost".  If that's true, how did everyone's password hashes end up on the Internet for public download?  Something fishy is going on.

One have to be an idiot to believe that statement, someone has 500k+ btc just sitting in their mtgox account? lol

btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
drknark
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
June 19, 2011, 07:43:06 PM
 #8

Man from the future, you seem to know this stuff. How hard would it be for people to bruteforce or crack a reasonably strong password with the encryption in the MtGox file? Say 10 characters alphanumeric.
kokojie (OP)
Legendary
*
Offline Offline

Activity: 1792
Merit: 1003



View Profile
June 19, 2011, 07:46:45 PM
 #9

Man from the future, you seem to know this stuff. How hard would it be for people to bruteforce or crack a reasonably strong password with the encryption in the MtGox file? Say 10 characters alphanumeric.

If the hacker also got their hand on the mtgox sourcecode, it's pretty trivial to crack, probably 5-10 accounts per hour depending on password strength.

btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
bullox
Full Member
***
Offline Offline

Activity: 131
Merit: 100


View Profile
June 19, 2011, 07:53:07 PM
 #10

lol wow that password hash is just begging to be cracked.   That kind of length of total output hash is like the luggage lock of electronic security...  Even salted sufficiently that is just not adequate.

I would like to echo the previous poster who said they have stronger encryption in a game they develop...
bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
June 19, 2011, 07:53:18 PM
 #11

Everybody with password lengths of less than 8 characters are totally screwed now.

Change your passwords everywhere as soon as you can!

Misspelling protects against dictionary attacks NOT
bittrader
Jr. Member
*
Offline Offline

Activity: 42
Merit: 1



View Profile
June 19, 2011, 07:53:35 PM
 #12

I waited through the crappy Rapidshare wait time and finally downloaded the file.

I can confirm that my Mt. Gox username and password are here! This is real.
kinghajj
Member
**
Offline Offline

Activity: 66
Merit: 10


View Profile
June 19, 2011, 07:56:54 PM
 #13

If the salt hasn't been compromised, then the passwords should be safe, no?
NielDLR
Member
**
Offline Offline

Activity: 95
Merit: 10



View Profile WWW
June 19, 2011, 07:58:07 PM
 #14

Argh, fuck everything about this. Really MtGox? Really? You aren't playing nice. Also hacker who did this? Screw you too. #superbummed

The Cypherfunks - A decentralized band and cryptocurrency. The first cryptocollective.
markus1000
Full Member
***
Offline Offline

Activity: 153
Merit: 100


View Profile
June 19, 2011, 07:58:45 PM
 #15

mmh how can i login and change my password, i only see the login to the support section
kokojie (OP)
Legendary
*
Offline Offline

Activity: 1792
Merit: 1003



View Profile
June 19, 2011, 08:01:32 PM
 #16

If the salt hasn't been compromised, then the passwords should be safe, no?

No, absolutely not. I have already seen cracked mtgox passwords being shared in the IRC channels. Do not take a chance, change them as soon as possible, everywhere you used it.

btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
Durr
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
June 19, 2011, 08:03:05 PM
 #17

This explains all the recent vague topics about 'my MtGox account got hacked'. The hacker went through each of them, and when he found one that had 500k bitcoins.. well you know what happened.
Bit_Happy
Legendary
*
Offline Offline

Activity: 2100
Merit: 1040


A Great Time to Start Something!


View Profile
June 19, 2011, 08:03:36 PM
 #18

This still might be a phony spreedsheet.
Let's see some real proof now!


I waited through the crappy Rapidshare wait time and finally downloaded the file.

I can confirm that my Mt. Gox username and password are here! This is real.

But I'm not sure you are telling the truth (no offense)
I want real proof, please send me an email, same username as this forum.
I'm waiting for real proof, now....

Edit:
Now I have real proof, thank you.

drknark
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
June 19, 2011, 08:05:37 PM
 #19

Bit_Happy, if you had an account on MtGox you could easily verify it. My account was on there. Edit: not same username as here.

Thanks guys for the info on the strength of the encryption.
piuk
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1005



View Profile WWW
June 19, 2011, 08:09:53 PM
 #20

It's not entirely clear if the attacker got access to the Mt.Gox source code, but at the moment it's probably safer to assume the salt was compromised as well.

Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!