Bitcoin Forum

This just out in the news. What are the implications of this as a regular user of BCT? Should we be worried about this?

http://themerkle.com/hacked-bitcointalk-user-data-finally-surfaces-on-dark-net/

"Just a few days ago, the data stolen from the BitcoinTalk.org hack in 2015 was posted for sale on dark net. A hacker going by DoubleFlag, is selling BitcoinTalk.org’s database. The same hacker is said to be responsible for the 68 million emails and hashed passwords from Dropbox that went for sale on dark net not too long ago.

BitcoinTalk.org was originally hacked in May of 2015, but the data wasn’t posted until a few days ago. DoubleFlag seems to have been the first one able to get his hands on it, and no one after him for that matter. The stolen data was only accessible by using data breach notification sites like Hacked-DB and LeakedSource."

'To break it down, there are 469,540 passwords that have been encrypted with SHA-256, and 44,868 passwords encrypted wit SMF encryption.'

Incorrect.

Oh no, I think if they sell it, It cause big in bitcoin community because many earners are earning here in bitcointalk by services like selling their accounts, by joining signature camapaign and many more. What is the action of theymos now? And What should we do now have accounts in bitcointalk?

99% of the users are safe. (Not 99. But a lot.) The passwords were encrypted with 5 rounds & used strong encryption algorithms. Many passwords will never be cracked or aren't worth the time to crack.

if you follow these steps, then the chances of getting hacked will be minimal.
1. better change your password regularly and there should not be any problem.
2. dont click on any links. do a quick search about it on google before visiting any unknown site.
3. dont download any files without knowing about it.
4. always keep your password long and use a combination of both capital and small letters.
5. never use the same password everywhere.
change the password. lol.

Here's the typical encrypted Bitcointalk user password.

$5$rounds=7500$uxETNKYBd49f1XZT$GqmY9SIrgeXwNI/QmhhkYKpznDrFPENk2uvCwBrnsLA

98% of the users here will not know what the hell that is, nor will they know how to use it efficiently. And the time to crack one doesn't meet the reason to do it.

If it is true so it is time for all of members bitcointalk to change password with strong password using mixture caracter are like P4$$W00oD#, although we can get problem for remember it.  ;D

That should mean people shouldn't be worried about the hack. Great!  :)
Hope we won't face any issues like this in future.

Exactly. While the data exists and there are some people who would be willing to take advantage of it, the cracking time for a majority of people is just too long for it to be worth it to get into a lot of user's accounts, however for some people they might just want to get into someone's account enough that they'll take the time.

I'll probably be changing up my password, it's about time anyways.

Doesn't necessarily mean you're safe. I have billions of database entries in my possession. So let's say, I get your username and search it up on the Bitcointalk database.

Username leads to your email.

I grep that email within all my entries, and any average person will have most likely signed up on another site that was hacked so I will usually find someone's password in a soft password encryption algorithm or in plaintext.

This is where not using your password more than once in the same place comes in handy.

Let me just say that the encryption algorithm could've been stronger. For example, bcrypt or something like what Wordpress implements. Now THOSE are some tough hashes to crack. Hell, even cracking the password "123411" with a bcrypt hash would take up too many resources for the average person.

This leak however contained two different algorithms from what I'm aware. SHA1 & something that looks like this.

Password: $5$rounds=7500$bOzfMJtV+ltz8dF+$jeWxjkMFW8Dv389us5iJ5KSBmb8wjkZOhns4UGeMpp.

A SHA1 hash is just 64 characters of numbers and letters. They are much easier to crack. However, the algorithm in this case doesn't matter if you had an easy password such as 1-10 numbers, a bunch of letters, or if your password was in a wordlist.

Password: $5$rounds=7500$bOzfMJtV+ltz8dF+$jeWxjkMFW8Dv389us5iJ5KSBmb8wjkZOhns4UGeMpp
Once you crack that (took me a few seconds) you'll get this as the plaintext password.
'22362236'

$5$rounds=7500$bOzfMJtV+ltz8dF+$jeWxjkMFW8Dv389us5iJ5KSBmb8wjkZOhns4UGeMpp:22362236

And the fact that many of you are probably in other database leaks and use the same password makes it even easier for someone to compromise your account. Good thing for you guys is that no one gives a shit about Bitcointalk accounts so you're all probably safe for now.

Something must be done to put an end this hacking things going around the corner.

I change my password every other week, so in theory a hack would not affect me, if my data were compromised. What benefit will these people have from hacking these accounts? We would just show the proof that we own the account and then get it back and change the password again. ^hmmm^

It is bad if there are people who buy bitcointalk data, he will get data of email who used for making account on here. And it will become more bad if he can get access to the email.

I sent out a mass email about this right after the leak in 2015. People really should've changed their passwords then. This database has been floating around since then, so if you didn't change your password already and your password is sufficiently weak, then there's a good chance that your account would've already been compromised.


That's a common misconception. There is no functional difference between bcrypt and sha256crypt, except that sha256crypt uses the industry-standard SHA-256 hash function while bcrypt uses a hash function based on the deprecated and obscure Blowfish encryption algorithm.

PHP uses a default bcrypt cost of 10, which is roughly similar to sha256crypt with rounds=1024. Python uses a default cost of 12, which is roughly similar to sha256crypt with rounds=4096. The forum uses sha256crypt with rounds=7500. The forum's hashes, while not uncrackable given weak passwords, are far stronger than those used by almost every other site.

The Quantum computing  8),
Well, the question is why the hacker is just releasing the data a few days ago? Is anyone know the reason? considering from your explanation I think that is safe at this time.

I guess I'd agree with that. I think that one extra step of security would be to have implemented a custom salt for every users password which would increase the difficulty of increasing the passwords.
Also, from StackOverflow:



Not all of the passwords in the database leak had that encryption :p

At the end of the day, you could implement the strongest algorithm but if users are stupid enough to use their password more than once and even worse, on a site that stores passwords with in plaintext or in a weak algorithm like message digest 5 (MD5), they deserve to be hacked. Like honestly how hard is it to use a different password by even changing 1-2 parts of your password.

I wouldn't be so sure about your last statement, if they don't know what an encrypted password is they could search in google.

And as Robert_A says it takes only few seconds to decrypt a password so it's not difficult to get the password in the 'plain text'

The price of 1BTC seems very cheap to me, for the hacker is needed only one or two legendary accounts to hack and reach the ROI very fast(badly).

He said a few seconds to decrypt a password that has NUMBERS in it only. Those are easy to crack because it's not hard to go through every possible number combination between 1-10 digits. Also, it's not easy to reach ROI now as people are very sceptical when it comes to dealing with people, even legendary accounts. Of course, if you plan it out and get a big scam all ready to go then bad luck to everyone else.

I think someone got one of my emails at some point but it could also be via mtgox leak.  I had a few random log in attempts with 1 successful to a shitty twitter account i dont use.  All passwords have been changed and i 2FA everything i can.

To clarify, they're selling SHA256 passwords? Hashed passwords! There is great difficulty in converting several hundred thousand of these in one go and highly trusted members may change passwords often so little money can be gotton from this.

I don't see why we should be worried, I know I'm not. Let him do what he will with the data, if he's able to get the 1 BTC he asking for it then good for him. There is nothing that can done at this point anyway other than changing passwords and making sure email accounts are secured with 2FA. No sense in losing sleep over this if you ask me.

Each hash has a unique 12-byte salt.


That's the same nonsense I was responding to.


It's impossible to upgrade a user's hash until they log in, since their password isn't known. Those users never logged in since the hash algorithm was upgraded several years ago.

What year did you change the hashing algorithm? From what I saw in the database some users who didn't logon after 2012 were not in it.

July 2012.

Damn,i guess i will have to change my password to make sure everything is fine.

And damn,this might have an impact over the entre bitcoin community or over the bitcoin price.

My account is created back in December 2015,the hack is on May 2015.I`m safe, i guess.

I am not worried as my account is created in beginning of February but anyway my email is secured with 2FA and everywhere where is possible in my online accounts I always add 2FA.
If the users feel worried about their accounts they can always change the password of the account, change the password of the email, add a security question here (which I honestly cannot understand why is not recommended when you do it in a right way, add it on a PC you know its super safe) and the problem is solved. I guess that Doubleflag will not get the bitcoin he is asking.

yeah to be honest it would be really hard to get the passwords then i think we are safe but we most probably should change passwords

As password is hashed with sha256 than i think it will take too long for anyone to decrypt one password which will certainly not be profitable to hacker by any means. The only reason some may buy this is to grab email list of bitcoin users to promote some shitty/scam/ponzi/fishing products in future.

The hack was already discovered shortly after it happened. I think theymos urged all users to change their passwords. At least I did. Besides that I think all users that follow best security practices - which means randomly generated, long passwords with special characters - are safe anyway. In my opinion the database has been finally posted, because the hacker has extracted all passwords that he could find and now dumps the useless rest of the db.

Given the high number of users here it's pretty clear that the hacker was able to obtain several passwords which of course is bad news, because it encourages further hacking attempts. Bitcointalk is an attractive target because trusted accounts can be easily used to defraud users. Hopefully the affected users have learned their lesson and are now using safe passwords.

ya.ya.yo!

It sucks to continuously change passwords, but it's worth the time and effort spend on that, if you compare that to the time and effort it took you to

build a reputation and a higher rank over the years you spend on this forum. Is Satoshi's account one of the affected users, or is his account

disabled? Well, time to change my password again.  ::)

if you ask me, he can take my encrypted password and shove it up his ass.

That's inaccurate.
No passwords in their raw form can really be taken, if they could, the bitcoin network would've already failed.
Like how private keys are hashes of specific thngs and tey are almost impossible to break. Breaking these encrypted passwords would take lots of "brute force" to do it.

Instead of qustioning if satoshi is one of the effeted members, maybe try to find if the admins were breached of this issue? Even though they will change teir passwords often (probably) it cannot be ruled out that their passwords are also being sold here.

If you pay attention to this:
He last logged in in december 2010! Definitely before that time so he's not on that database.

---

What you have to think is, why would he sell these for only 1BTC. and So late on. As if he can't really be bothered with this thing and is probably not even selling the right hashed passwords.

There also bitcoin address staking that comes into acount here as you will still be able to recover accounts that have their passwords compromised.

Isn't it strange that we are getting DDOSed after this news? Is it just coincidence or is someone or there is a group out there attacking BTC? Are there people out there that hate this community?

I don't think so, I doubt for defining where from the attack is coming, and what the aim of attacking this site, but I hope will never getting attack again.

I think they are using the stolen data to attack the forum.

Thanks for this comment, I laughed.  :) I have read all the comments above and I think this comment sums them up perfectly.

Stealing is wrong btw, too bad some people do not realize that when they are stealing it's bad for them in the first place.

No problem if anyone collect our data because I don't put any sensitive data on any site and Bette if they could send few bitcoin in my wallet.... just kidding. But honestly why they are worried about this platform. We can earn from here so why should they attack bitcointalk. If they have allergic to bitcointalk then they could jump from 5th storey and die.

i can not imagine how to do that, cracked password is far beyond from my imagination and i can not figure out how to do that. i hope that bitcointalk will be fine and will be ok, for the forum and for the member especially. and i hope nothing will be happen with bitcoin community and we should not be worried.

I suppose everyone already considered the data compromised even if they did not see it officially on sale, I changed my passwords after every recent issue occurring in BCT as well as the CEX.IO data compromise and I changed all the passwords used on these sites. I think everyone should do that as well.

in my opinion no one is going to crack it any time soon, in order to be really safe i think that it would be better to just change your password

There's not realy much danger if you don't though.
It is designed to be impossible tocrack and it will be almost impossible to crack. There willbe some ways of cacing it (mainly brute-force to get it). Maybe with a high qubit computer you could do itbut they are probably more expensive than useful for this.

Soo looks like the attack were something personal or some competitor trying to put bitcointalk, down its insane since the hack several hackeds accounts had been sold and hacked, i do hope this wont affect the current accounts.

But the hacked account is already sold in this time just a data of bitcoin talk is really hacking at may in the past year, and we know from some news is already tell us, if the hacker is starting for selling the data for a few days ago and the data is encrypted by SHA 256 algorithm. but i hate about the ddos can make site is downtime for several hours. Will be better for changing your password in this time for avoiding a worst thing.

cex.io was hacked? I have not heard about this. Please post more details about it and when it happened. To my knowledge I have not heard or seen any hacks that involved cex.io funds being stolen.

account hack is different from the site itself being hacked. (although it seems like cex.io was hacked in 2013 (https://bitcointalk.org/index.php?topic=365103.0)) but i think he is talking about his own account being compromised and most of the google results about cex.io hack also suggests.

Very useful information mate ! There should be a sticky somewhere or a messsage like the one that announce new versions of Bitcoin Core. My password has 60~70 bits of entropy, so that's definitively not worth trying to crack it.

Cracking  passwords would be  difficult for the hackers  since it was encrypted ,same as others said that you would need a super  computer to crack it. I guess its up to you  if you change your password as of now  since its a little bit worrying for us that our account  could possibly be compromised and possibly  get by someone.

I agree im also read this news a day ago then im starting to change my password in all over my most visited websites and some of impotant website just to play safe. But if it really true then i should worry about it. :(

As far as I know, Satoshi's account is disabled until someone can positively identify themselves as Satoshi (PGP/GPG, etc.). Until then, no one can use that account.

     
   
So it's a fake article? 
Should we change the password or not?
   
It will be very helpful if the forum implement a 2FA or something like that...

are you kidding me,how would you do that,hacking attempts are a part and parcel in this virtual world, you either take good care of what you do online and be careful on what all sites you share the same username and password,i dont expect the admin over here to take care of security very much,they are just running this forum as it is,i understand how difficult of a task it is to maintain these kind of traffic in here.But you could always improve the security of this site.

Change your password and make sure you don't use it with another service, that's all.

If we were required to change password,the forum admin or staff should have intimidated this to us through general notice.Since there is no such announcement,I Dont think we should worry although keep changing password periodically is a good practice

Or just try to strengthen current ones.
It's hard to reverse the hashed passwords anyway. And I'm also informed that the usernames and emails are also hashed, making it extremely difficult.
You are probably correct, if there was any serious threat, It'd be reported in the message section (the part that states the "latest stable version of bitcoin core"

I wasn't here that time so I'm not worried about it, but since you're advised to change your log in data regularly and if there's such a security event, with extra caution, I think everyone with at least basic caution's changed their data already.

It's not a fake article, i believe is real according to in may 2015 bitcoin talk is ever getting hacked and their some database was stolen and if you wanna visiting in another sub forum in here you will see there are a people is selling the account is from the hacked database.

ya it is better to keep our account secured by ourself, change our password periodically is good advice , and dont forget to use 2fa on every account if that is possible to do

My account was hacked but i can not get an email to get it back, they changed the email account?  :'(
Have no staked address that can sign a message from.
So what are my options here?

My account is west man!

Please someone help because the ones I have pm'd are not responding anymore.

earlier i thought that the news of Ddoss attack on the bitcointalk.org forum is a fake news but today half hour ago during reply a post i see a heading news by this forum .

" News : Due to DDoS attacks, there may be periodic
downtime."

now i will suggest everyone they should change there password .

My account is satoshi! They disabled my account! It got stolen!
I have no staked address so I can't sign message. I PM'd theymos but he won't reply.
My account is satoshi!

See my point? Unfortunately, if you can't positively identify yourself as an owner of an account, you can't have it back basically.
I suggest you take this as a lesson learned the hard way. Stake a proof, be it an address or PGP signature or whatever. Keep them safe.

What rank dude? Senior or hero member? I think you are so unlucky. Hackers only want to hack high rank accounts. Very dangerous.

Is this news legit or fake? If the database was really leaked, theymos would announce it. He announced it in 2015 hack, so he is transparent about all hack cases. No need to hide if the forum is hacked.

There isn't a way to recover it.
Admins state they only accept signed messages of staked addresses.
You may be able to recover it some other way such as proving ownership of the IP you reach this forum by (but that's unlikely)!

It is illogical to unable to recover the account, there is secondary password. Other sites or forums have password recover, and can't change the email by entering the password, there must be a confirmation of old email confirmation to modify the new email.

Yes, the secondary password is a staked address!
I doubt any other method of recovering the account have been out in place. As buying and selling of accounts is fully accepted here.

This is probably the main problem of Bitcointalk account security, people can easily change their email without any notification/permission from the old email. I think this should be fixed because in my opinion email is the last way for the users to recover their account. Because usually, people will have a good security on their email address and most of email services will require the users to have a very strong password and even with 2FA.

That is certainly true. This is a big problem for all users of the account bitcointalk, however I think if indeed it happens is definitely Admin Bitcointalk have an effective way of doing our account recovery affected by the hacking. Because I see that every single thing we do in the forums always on record by the system