|
Title: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Chick on June 19, 2011, 08:03:34 PM I do not know if this is real or fake. However, this is an direct download link that I hosted. Please comment...
http://bit.ly/kE3Q4D (http://bit.ly/kE3Q4D) [Edit: Holy shit, this is real. I found my email & password in the CSV. Shit just got real...] Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNT CSV Post by: Durr on June 19, 2011, 08:07:00 PM It's amazing how small the market is really, just 60k people. wtf.
Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: AtlasONo on June 19, 2011, 08:13:23 PM UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS
We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible. https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: kjj on June 19, 2011, 08:16:27 PM For more amusement, compare your place in the list to how recently you signed up.
I'm about 10,000 in, so ~50,000 have signed up in the last month. Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNT CSV Post by: FuzzyCoins on June 19, 2011, 08:19:21 PM It's amazing how small the market is really, just 60k people. wtf. Also interesting is how the number of traders is exploding. I started this about 2 weeks ago and I am at position 28k in the 60k list. Meaning that the number of traders has more then doubled in the last few weeks.Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: RandyMarsh on June 19, 2011, 08:23:06 PM If they cant get the passwords because they're hashed, then... ummm, how did they do it?
Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNT CSV Post by: qwk on June 19, 2011, 08:23:28 PM It's amazing how small the market is really, just 60k people. wtf. When you have a closer look, there are a lot of accounts with the same email address. That means there are even fewer actual people in the market. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: shakaru on June 19, 2011, 08:26:35 PM F*$% THIS.
You know I had alot of faith in Mtgox. Even when alot of dumb ass conspiracy theroys started to pop up. Now seeing my email and login info. Im done. Thats a 100% die hard support to 100% against using mt gox. I want my money and I want it now! Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: Yeti on June 19, 2011, 08:28:14 PM Affirmative. Found my account info and all my friends in the file. Mt Gox needs to come online asap so I can change my password! I have no e-mail to reset it ... :-(
Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: Durr on June 19, 2011, 08:30:27 PM If they cant get the passwords because they're hashed, then... ummm, how did they do it? What do you think Bitcoin miners are doing? Cracking hashes. What do you think the passwords are protected with? Hashes. So it's easy to crack hashes passwords, takes a few minutes per password, as long as it takes to crack a new Bitcoin block (about 10 minutes) is how long it takes to crack a hashed password. Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: speeder on June 19, 2011, 08:31:08 PM I am around 4k!
And I joined in april Now can someone take that data and calculate how fast bitcoin is growing? (common, let's at least make something useful with the data :/ like, seeing the good side of bad things) Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: MyFarm on June 19, 2011, 08:33:07 PM I hope you guys are interested in buying Viagra and increasing the size of your penis.
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: walidzohair on June 19, 2011, 08:37:37 PM Well the even more amazing is that i discovered now we have (this topic is off your limit) in the bitcoin forum.
Is the bitcoin falling after Satoshi (Alias) stepped out ? anyway, That is what I got An Error Has Occurred! The topic or board you are looking for appears to be either missing or off limits to you. After I tried to access this post http://forum.bitcoin.org/index.php?topic=19543.0 Which have been referred too in the mtgox temp support page! https://support.mtgox.com/access/unauthenticated?return_to=https%3A%2F%2Fsupport.mtgox.com%2Fentries%2F20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback I am against the market crash but I am also interested in seeing how (roll back) can be done. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: S3052 on June 19, 2011, 08:40:45 PM I do not know if this is real or fake. However, this is an direct download link that I hosted. Please comment... http://bit.ly/kE3Q4D (http://bit.ly/kE3Q4D) [Edit: Holy shit, this is real. I found my email & password in the CSV. Shit just got real...] I cant believe that. This is completely against every privacy consideration that this file is openly distributed. Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: foo on June 19, 2011, 08:41:09 PM If they cant get the passwords because they're hashed, then... ummm, how did they do it? So it's easy to crack hashes passwords, takes a few minutes per passwordTitle: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: myrkul on June 19, 2011, 08:41:57 PM Oh goody. I do love spam. Thanks, Mt. Gox. Ah well. At least they were hashed, so the actual passwords didn't get leaked, and I didn't use the same password for my email, anyway, so that's safe. But I was kind of enjoying the obscurity of that email. :(
So, A big step better than Sony, but I am curious, how did they get that DB in the first place? Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: foo on June 19, 2011, 08:42:25 PM I do not know if this is real or fake. However, this is an direct download link that I hosted. Please comment... http://bit.ly/kE3Q4D (http://bit.ly/kE3Q4D) [Edit: Holy shit, this is real. I found my email & password in the CSV. Shit just got real...] I cant believe that. This is completely against every privacy consideration that this file is openly distributed. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Chick on June 19, 2011, 08:43:23 PM I do not know if this is real or fake. However, this is an direct download link that I hosted. Please comment... http://bit.ly/kE3Q4D (http://bit.ly/kE3Q4D) [Edit: Holy shit, this is real. I found my email & password in the CSV. Shit just got real...] I cant believe that. This is completely against every privacy consideration that this file is openly distributed. This is already out there. Torrent sites, rapidshare, etc. There is nothing we can do. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: BioMike on June 19, 2011, 08:44:26 PM I hope you guys are interested in buying Viagra and increasing the size of your penis. If we can pay with bitcoins ;) Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: enmaku on June 19, 2011, 08:47:06 PM I am around 4k! And I joined in april Now can someone take that data and calculate how fast bitcoin is growing? (common, let's at least make something useful with the data :/ like, seeing the good side of bad things) This. Also, it's pretty scary to see my username, email address and password hash in the big list too but there are still a few questions that remain. Does anyone with perhaps a hair more experience than myself recognize the format of these hashes? I can recognize base 64 encoded fields with "$" as a delimiter easily enough, but I haven't taken the time to explicitly generate various hashes from my known password, b64 encode them and compare the results. I can do this later today if I've got the time but I'm kind of hoping that someone else already has :) The above exercise, if nothing matches, could also prove whether Mt. Gox was actually salting their hashes, which seems doubtful looking at the CSV. Really though I'm with speeder, let's at least identify enough people and their signup dates in this list to imply some good network growth numbers that we might otherwise not have access to. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Yeti on June 19, 2011, 08:48:14 PM PHP crypt, CRYPT_MD5: http://php.net/crypt
Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: Chick on June 19, 2011, 08:48:36 PM I am around 4k! And I joined in april Now can someone take that data and calculate how fast bitcoin is growing? (common, let's at least make something useful with the data :/ like, seeing the good side of bad things) This. Also, it's pretty scary to see my username, email address and password hash in the big list too but there are still a few questions that remain. Does anyone with perhaps a hair more experience than myself recognize the format of these hashes? I can recognize base 64 encoded fields with "$" as a delimiter easily enough, but I haven't taken the time to explicitly generate various hashes from my known password, b64 encode them and compare the results. I can do this later today if I've got the time but I'm kind of hoping that someone else already has :) The above exercise, if nothing matches, could also prove whether Mt. Gox was actually salting their hashes, which seems doubtful looking at the CSV. Really though I'm with speeder, let's at least identify enough people and their signup dates in this list to imply some good network growth numbers that we might otherwise not have access to. This is really bad... I cracked a few passwords using JohnTheRipper... Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: cypherdoc on June 19, 2011, 08:49:13 PM If they cant get the passwords because they're hashed, then... ummm, how did they do it? What do you think Bitcoin miners are doing? Cracking hashes. What do you think the passwords are protected with? Hashes. So it's easy to crack hashes passwords, takes a few minutes per password, as long as it takes to crack a new Bitcoin block (about 10 minutes) is how long it takes to crack a hashed password. thats bullshit you ass. miners are bruteforcing to attempt to come up with a number below the target hash. hashes are unbreakable and cannot be reconstructed back into the original password. Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: enmaku on June 19, 2011, 08:51:06 PM If they cant get the passwords because they're hashed, then... ummm, how did they do it? So it's easy to crack hashes passwords, takes a few minutes per passwordWhich is why we salt passwords before hashing them. It might take seconds to find "monkey" but it'll take ages to find "monkeyefweug#%_#Tsafwef24g" and the user doesn't have to remember that second part. Really if the database is compromised the salt is in there with the hash so it doesn't help much but it DOES at least make it so that two people using the same password won't both be compromised by simply compromising one of them. It also makes "rainbow tables" (giant tables of common passwords and what they hash to) ineffective. Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: myrkul on June 19, 2011, 08:55:49 PM This is really bad... I cracked a few passwords using JohnTheRipper... I have never been so glad to be broke. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: kseistrup on June 19, 2011, 08:56:19 PM I am curious, how did they get that DB in the first place? +1 Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: myrkul on June 19, 2011, 09:04:07 PM I am curious, how did they get that DB in the first place? +1 SQL Injection. Sanitize your inputs, kiddies! Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: NO_SLAVE on June 19, 2011, 09:10:46 PM Incorrect. The amount of time it takes is related to the complexity of the password. "monkey" will be found in seconds, but something like "efweug#%_#Tsafwef24g" will take years. Wow, glad I changed my password to "efweug#%_#Tsafwef24g" just 2 days ago! Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: bitcoinminer on June 19, 2011, 09:11:12 PM wow. Talk about fucked. I second the previous notion of "glad im broke".
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: hiVe on June 19, 2011, 09:12:11 PM Nice one, its legit! :) im surprised. Gotta give it to them, btw where did the OP find this? google? :D
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: gigitrix on June 19, 2011, 09:14:53 PM Interesting to note the malformed records which suggest SQL injection attacks of such simplicity, that an 8 year old 4channer with an automated pentest program could get in. I have only once traded using mtgox, but I'm seriously ticked off right now. I'm seriously angry that MtGox was trusted with so many people's money, was so central to bitcoin itself. As a fellow PHP developer I feel ashamed that people like MtGox bring the rest of us down, making us look like 14 year old script kiddies. I'm ashamed that they have not learned the rudimentary techniques that would be the first lesson in how to successfully secure any website. I'm astounded that a website trading 30 million dollars of value every month is less secure than a web game I built when I was 15.
In particular, see these rows (pasted from OpenOfficed CSV so it's turned into tab separation (I will add to this as I find more):
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: bitclown on June 19, 2011, 09:16:25 PM Stopped trading on Empty Gox two weeks ago due to the increasing reports of compromised accounts. I certainly can't see myself going back to trusting Magical Tux' PHP skills with my money after this.
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: jondecker76 on June 19, 2011, 09:18:06 PM There is a good number of us (meaning good, honest bitcoin users and supporters) that have been reporting that we had BTC stolen for a while now, but they kept denying our claims and blaming us.
I sincerely hope they plan on reimbursing us (I mean come on, its only 20.19 BTC in my case) Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: CharlieContent on June 19, 2011, 09:23:37 PM These fucking clowns should have stuck to selling magic the gathering cards.
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Durr on June 19, 2011, 09:25:25 PM These fucking clowns should have stuck to selling magic the gathering cards. true that :D Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Bazil on June 19, 2011, 09:28:09 PM I don't know I'd be more likely to trust mtgox after this. At least there problems are now known and will be fixed, who knows what the vulnerabilities of the other trade sites are? The only thing that annoys me about this is it publicizes everyone's email addys. Although once upon a time I made a blog from scratch, and I made better PW security than mtgox has, now that is sad.
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: frozen on June 19, 2011, 09:36:00 PM The good news about this event is that I believe it will lead to a more decentralized exchange setup.
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: skerit on June 19, 2011, 09:38:49 PM I'm number 905. Don't remember when I signed up really, but I only got into bitcoin once you could get bitcoins from europe. Which was pretty late in the game.
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Chick on June 19, 2011, 09:39:41 PM These guys deserved their accounts to be hacked...
abcde:abcde endeavormac:endeavormac jallen:jallen shecnu3:shecnu3 edocasper:edocasper demodash:demodash niky89:niky89 hehehe\':NO PASSWORD:$1$ZJVxD1Xi$8MuO2/IEK2ITAOiRVH8nD/:::::: bubbles:bubbles kendomastr:kendomastr BenCardwell1:bencardwell1 test23:test23 test2323:test2323 gibberish:gibberish themandarax:themandarax goodbrod:goodbrod 5FDERZ$:NO PASSWORD:$1$WV1exL20$LGjDyermelSynowyWSjaW0:::::: Pete Butter:butter feefeefeefee:feefeefeefee daniellobel:daniellobel Phantom_Knight:phantom 25toro:25toro sheef1:sheef1 yui9:NO PASSWORD:$1$tRf6y.pr$EWaJXMzwRfyXvq5zI3.y..:::::: Johnster:johnster loppyer:loppyer Amaresh:amaresh MeinSeins@gmx.de:meinseins faceb:faceb mueller:mueller heatherington:Heatherington stupid!:stupid! mintslice:mintslice sfhdusfhd:sfhdusfhd Qba-da-Intrepid:intrepid monkeys:monkeys robot:robot twatty:twatty Mr.LKS:Mr.LKS xxxxx:xxxxx xxxxxxxxx:xxxxx 1qayxcvbnm:1qayxcvbnm Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: myrkul on June 19, 2011, 09:49:44 PM Give mine a shot. User ID 11195
I consider the account compromised anyway, and it's empty, regardless... But I would like a difficulty test on my password. Which, to be clear, is unique to Mt. Gox. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: IlbiStarz on June 19, 2011, 09:52:00 PM Maybe this file is actually a virus/keylogger that will steal your wallet.dat or find your new password once Mt.Gox comes up again? That's the only thing from preventing me from downloading this file.
Really tempted tho... Or maybe im just stupid/paranoid. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Chick on June 19, 2011, 09:54:07 PM Maybe this file is actually a virus/keylogger that will steal your wallet.dat or find your new password once Mt.Gox comes up again? That's the only thing from preventing me from downloading this file. Really tempted tho... Or maybe im just stupid/paranoid. Dude, its a fucking CSV file. Check the extension, open the URL up in Google Docs if you're too scared. :P Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: WiseOldOwl on June 19, 2011, 10:02:53 PM I am not able to get the file, has it been removed or am i just having problems on my end
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: cypherdoc on June 19, 2011, 10:04:58 PM is there a way to "search" this csv list for my username instead of scrolling 60K names?
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: killer2021 on June 19, 2011, 10:07:04 PM I changed my password the other day when someone said the account was hacked.
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Chick on June 19, 2011, 10:08:13 PM is there a way to "search" this csv list for my username instead of scrolling 60K names? Ctrl + Find. I opened it up in Google Docs. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: airdata on June 19, 2011, 10:10:01 PM Oh... nice.. so much for anonymity
how easy is that password hash to crack? Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: MeowMixer on June 19, 2011, 10:12:11 PM is there a way to "search" this csv list for my username instead of scrolling 60K names? ctrl+fTitle: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: bullox on June 19, 2011, 10:19:30 PM so obviously its md5, and the salt is contained within db entry, but what method are they using to get the unicode characters back into hex strings that most password crackers utilize for reversing md5?
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Chick on June 19, 2011, 10:23:57 PM so obviously its md5, and the salt is contained within db entry, but what method are they using to get the unicode characters back into hex strings that most password crackers utilize for reversing md5? I don't think they're salting their passwords. I'm using John The Ripper to crack these worthless "123456" md5-crypt passwords. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: TheBitMan on June 19, 2011, 10:26:11 PM I'm a member but I couldn't find mine ???
Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: Batouzo on June 19, 2011, 10:30:07 PM Which is why we salt passwords before hashing them. It might take seconds to find "monkey" but it'll take ages to find "monkeyefweug#%_#Tsafwef24g" and the user doesn't have to remember that second part. Really if the database is compromised the salt is in there with the hash so it doesn't help much but it DOES at least make it so that two people using the same password won't both be compromised by simply compromising one of them. It also makes "rainbow tables" (giant tables of common passwords and what they hash to) ineffective. It depends - if (if, I'm not sure how this is in case of mtgox) entire users database was leaked, then usually you also have the salts for each user right there in the database. On the other hand, if they coded is smartly, they also used extra salt that is only in the source code and not in database - that one should help indeed. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: DeiBellum on June 19, 2011, 10:34:21 PM So, WTF happened to websites being responsible and hashing emails as well?
Just my .02btc Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Otoh on June 19, 2011, 10:35:11 PM I do not know if this is real or fake. However, this is an direct download link that I hosted. Please comment... http://bit.ly/kE3Q4D (http://bit.ly/kE3Q4D) [Edit: Holy shit, this is real. I found my email & password in the CSV. Shit just got real...] I cant believe that. This is completely against every privacy consideration that this file is openly distributed. Sig: >12y experience in trading. Donations accepted: 14TeeHy4igXUgfnjXmCFG5MwkcRKZRkprS Please always do your own due diligence, and consult your financial advisor. Never invest unless you can afford to lose your entire investment. http://twitter.com/BitcoinAnalyst lols @ Sig irony Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: TheBitMan on June 19, 2011, 10:35:35 PM is there a way to "search" this csv list for my username instead of scrolling 60K names? control+f and type in :)Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Batouzo on June 19, 2011, 10:36:54 PM so obviously its md5, and the salt is contained within db entry, but what method are they using to get the unicode characters back into hex strings that most password crackers utilize for reversing md5? Mother of god... I'm usually coding a web game page (no money) more securely... Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: Caesium on June 19, 2011, 10:37:53 PM On the other hand, if they coded is smartly, they also used extra salt that is only in the source code and not in database - that one should help indeed. They didn't. My details are in there and I reproduced the hash for my password with the following perl: #! /usr/bin/perl $salt = '$1$SALT$'; # this is the at the start of the salted password in the accounts.csv, it's 8 alphanumeric characters $pw = 'MY_PLAIN_PASSWORD'; # do this on a secure box, you're entering your password into a text editor. $encpw = crypt($pw, $salt); print "Encrypted password: $encpw\n"; Observe how the printed hash equals the bit after the salt in the accounts.csv. Thus no hidden salt or trickery. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: PGPpfKkx on June 19, 2011, 10:38:20 PM i changed my pass also yesterday, can someone confirm the hack date???
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: kjj on June 19, 2011, 10:40:48 PM I should point out that the site made a change to improve password security at least several months ago. Any passwords set after that time are secure.
Their biggest fault was not forcing users to update their passwords at that time. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: F104 on June 19, 2011, 10:43:19 PM I am not as computer literate as most of you. I have some dumb questions. Please be patient with me.
1. Is the *only* data that has been lost the user names, email and hashed password? Is there any way these people can get at my wallet? (I had nothing at Mt. Gox so I have no worries about that) 2. Can they get at the account from which I sent money to Mt Gox? 3. How could this have happened? I expected a person handling this kind of money would be secured like my bank website. On the other hand, why did everyone trust him? 4. Is Mt. Gox giving any accountability such as taking steps to secure what information has not been lost yet? 5. Luckily I used my Mt Gox password only there. What steps should I take to secure other data I have? thanks Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: myrkul on June 19, 2011, 10:45:43 PM at least several months ago. Need a date, man... That's way too vague. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: phelix on June 19, 2011, 10:49:46 PM comes in handy: look up where you used your compromised password in the firefox saved passwords list ;D
http://www.howtogeek.com/howto/ubuntu/find-a-forgotten-password-saved-in-firefox/ Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Chick on June 19, 2011, 10:52:47 PM I am not as computer literate as most of you. I have some dumb questions. Please be patient with me. 1. Is the *only* data that has been lost the user names, email and hashed password? Is there any way these people can get at my wallet? (I had nothing at Mt. Gox so I have no worries about that) 2. Can they get at the account from which I sent money to Mt Gox? 3. How could this have happened? I expected a person handling this kind of money would be secured like my bank website. On the other hand, why did everyone trust him? 4. Is Mt. Gox giving any accountability such as taking steps to secure what information has not been lost yet? 5. Luckily I used my Mt Gox password only there. What steps should I take to secure other data I have? thanks 1. This is the only data that we know of that was leaked. No, there is no possible way they can get to your wallet unless they got into your computer via a remote connection using your password. 2. If you used the same password, yes. 3. Most likely SQL injection, I'm surprised that in 2011 people are still not using prepared statements for querying the database. Because it is the most popular? Didn't have any problems for a long time. 4. Most likely. 5. If you used the same passwords as the one as Mt. Gox, change it. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: kjj on June 19, 2011, 10:53:07 PM at least several months ago. Need a date, man... That's way too vague. I don't know. I'm just going off the data I have (that everyone has by now). The newest account that I've found with an old-style hash was #3045. I signed up about a month ago, and my number is near #10,000. Since 50,000 of the 60,000 accounts were from the last month, I feel pretty safe saying that the change was more than a month before I signed up. Closer to that, I can't say. But it is trivial for anyone to find their own name in the file and check the password hash listed. Starts with $, probably safe, but think about changing it anyway. Doesn't start with $, change it now, and change it in every place that you've ever used that password, or one similar to it. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: pete248 on June 19, 2011, 10:54:13 PM Does anyone know where i can find a program that encrypts a string using the same method as Mt. Gox did? I genuinely cant remember what password i used on Mt Gox (never actually traded on it) but i know its one of several i can remember, so i want to do trial and error to check which one it is :P thanks.
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: EpicFail on June 19, 2011, 10:56:47 PM Can someone try to crack user 16139 please?
I would like to know how strong the password is. I believe it is pretty strong but I could be wrong. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Stephe on June 19, 2011, 11:02:23 PM Does anyone know where i can find a program that encrypts a string using the same method as Mt. Gox did? I genuinely cant remember what password i used on Mt Gox (never actually traded on it) but i know its one of several i can remember, so i want to do trial and error to check which one it is :P thanks. <?echo crypt("yourpassword", "$1$"."hash"."$".md5("yourpassword")); ?> Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: kjj on June 19, 2011, 11:07:01 PM If you have PHP, try this on the command line:
Code: php -r 'echo crypt("PASSWORD","$1$SALT_FROM_FILE$")."\n";'There is a similar way to do it in PERL, but I don't know it off the top of my head. Also, I found an online thingie. http://crypt.php-functions.com/ (http://crypt.php-functions.com/). Please note that I didn't test this with my password, because I don't trust it, but if you do trust it, the syntax is: Code: echo crypt("PASSWORD","$1$SALT_FROM_FILE$")Oh, and account 16139 is probably fine. There are no services that can crack your password short of a brute force attempt. How long the brute force takes will depend on the length and complexity of your password. A short password, or one that is in a dictionary, or similar to a dictionary word, will be fairly easy. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: BubbleBoy on June 19, 2011, 11:14:06 PM I should point out that the site made a change to improve password security at least several months ago. Any passwords set after that time are secure. Their biggest fault was not forcing users to update their passwords at that time. The passwords before ID 3000 that were not changed are plain md5 hashes. Almost all are easily cracked. Example: id: 642 name: shlax hash: de434a6e3a01de06657454e07349535c password: pretorian (http://www.md5rainbow.com/de434a6e3a01de06657454e07349535c) The ones starting with $ are MD5 crypt passwords. The 1000 MD5 iterations add about 10 bits of apparent entropy, and the salts prevent parallelisation. If they are good, such passwords survive, but any less than 10 character alphanumeric password is in danger. Any all numeric under 20 digits, and all single case under 15 letters may be also in danger. If it's a dictionary word, forget it. IMO there's no way to reopen MtGox without forcibly resetting the password on email and/or require proof of ID, coupled with a few weeks frozen accounts in which those who can't access the accounts can complain to support. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Mageant on June 19, 2011, 11:18:30 PM Isn't it ironic that bitcoin mining is essentially also cracking a hash?
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: bullox on June 19, 2011, 11:21:33 PM Isn't it ironic that bitcoin mining is essentially also cracking a hash? Very. Almost every person in this forum has the necessary hardware to get crackin.Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: BubbleBoy on June 19, 2011, 11:28:11 PM Quote Almost every person in this forum has the necessary hardware to get crackin. It seems it's the most profitable way to "mine", at least for this evening :) Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: BenD on June 19, 2011, 11:31:25 PM i changed my pass also yesterday, can someone confirm the hack date??? I changed my password on June 18th, 0:42 am (GMT+1, summertime - it is 1:30 am when I post this). The hash in the csv represents my new password. Edit: Oh sorry, this is of course not yesterday. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: grod on June 19, 2011, 11:34:23 PM I should point out that the site made a change to improve password security at least several months ago. Any passwords set after that time are secure. Their biggest fault was not forcing users to update their passwords at that time. No, they are not secure. They're slightly MORE secure, assuming good, long, semi-random password with lots of special characters. Seeing the kinds of passwords a trivial cracking attempt busted I'd say a good portion of the userbase are NOT computer security experts and are NOT picking secure passwords. Those kinds of people are likely to be re-using the passwords elsewhere and are now going to be in a world of hurt thanks to mtgox. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: phelix on June 19, 2011, 11:43:11 PM Does anyone know where i can find a program that encrypts a string using the same method as Mt. Gox did? I genuinely cant remember what password i used on Mt Gox (never actually traded on it) but i know its one of several i can remember, so i want to do trial and error to check which one it is :P thanks. on this site you can create your md5 hash if you are not sure which pw you used or just want to check if it is in there: http://www.insidepro.com/hashes.php?lang=eng old hash as in first 3000 users or so on the list: just enter your password and look at the topmost box next to "MD5" newer hash starting with $1$: enter password and salt. you will find your hash at "MD5(Unix)" salt is between the second and the third $ character: $1$/gKxns/A$42b18btDR4VVUJR8hOEqW0 hash goes after the third $ character: $1$/gKxns/A$42b18btDR4VVUJR8hOEqW0 I am in not affiliated in any way with the site and can not tell if they are trustworthy. So only check if your password is weak or you have changed it everywhere else. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: scooter on June 19, 2011, 11:48:52 PM Can someone try to crack user 16139 please? I would like to know how strong the password is. I believe it is pretty strong but I could be wrong. If you have linux install john the ripper. You can brute force your hash, or you can load rainbow tables and try that. When the gawker.com database got hacked I tried my hash for fun to see how long it would take. Less than 2 hours with 4 cpu cores brute force on an 8 character pass. Luckily i never use the same password twice so it didnt cause a problem for me. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: kjj on June 19, 2011, 11:50:42 PM I should point out that the site made a change to improve password security at least several months ago. Any passwords set after that time are secure. Their biggest fault was not forcing users to update their passwords at that time. No, they are not secure. They're slightly MORE secure, assuming good, long, semi-random password with lots of special characters. Seeing the kinds of passwords a trivial cracking attempt busted I'd say a good portion of the userbase are NOT computer security experts and are NOT picking secure passwords. Those kinds of people are likely to be re-using the passwords elsewhere and are now going to be in a world of hurt thanks to mtgox. Even a fairly weak password will take a while to find. And you don't know in advance which passwords are weak, so you have to try them all, or try them one at a time. This is bad, but not the end of the world. Those passwords that have already been cracked were cracked because they were unsalted, which meant they could be stored in a database for lookup. The rest are salted, and there is no shortcut to them. The attacker actually has to calculate 1001 MD5 hashes using both the salt, and their current guess. And unsuccessful guesses are wasted, they do not help on the next guess or the next account. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: myrkul on June 19, 2011, 11:53:21 PM No, they are not secure. They're slightly MORE secure, assuming good, long, semi-random password with lots of special characters. Seeing the kinds of passwords a trivial cracking attempt busted I'd say a good portion of the userbase are NOT computer security experts and are NOT picking secure passwords. Those kinds of people are likely to be re-using the passwords elsewhere and are now going to be in a world of hurt thanks to mtgox. Length and option set trumps entropy and # of special characters. !....1gOd1....! is more secure than as#^%^*($)! despite being easier to remember, and based on a dictionary word. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: kjj on June 19, 2011, 11:54:31 PM MTGOX BREAKING NEWS We will do one hour with the TradeHill guys LIVE via Skype.... at 9pm to 10pm ET tonight. Then, we will do one hour with the MtGox guys LIVE via telephone from Tokyo.... at 10pm to 11pm ET tonight. Go to http://onlyonetv.com and click the "Watch Live" button now... and join in the Live Chatroom. See All Time Zones here: http://goo.gl/ZqQRq I'm trying to figure out why you think it is acceptable to keep posting this in every thread. Did you get dropped on your head a lot as a child? Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: brybot on June 20, 2011, 12:06:23 AM Anybody check that csv file for viruses? Or did we just get compromised again?
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: myrkul on June 20, 2011, 12:12:18 AM It's clean data. Just a CSV file. Open in Google docs if you're paranoid.
Edit: Too much Starcraft. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: TheBitMan on June 20, 2011, 12:13:49 AM Anybody check that csv file for viruses? Or did we just get compromised again? I don't have excel so opened it in notepad it's cleanTitle: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: optionstalker on June 20, 2011, 12:31:22 AM My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: hoo2jalu on June 20, 2011, 12:31:52 AM MTGOX BREAKING NEWS We will do one hour with the TradeHill guys LIVE via Skype.... ... BLAH BLAH BLAH I'm trying to figure out why you think it is acceptable to keep posting this in every thread. Did you get dropped on your head a lot as a child? Media whore'ing opportunities like this happen once a lifetim^H^H^Hmonth in bitcoin land! Gotta make every second and eyeball count! Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: scooter on June 20, 2011, 12:37:16 AM My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now! Mine says 7 decillion years Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Chick on June 20, 2011, 12:41:11 AM My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now! Mine says 7 decillion years Repeated asdf over & over! About 7 septendecillion years. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Batouzo on June 20, 2011, 12:53:53 AM My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now! You are using http://howsecureismypassword.net/ and entering your password there? Let's keep finger crossed the admin of that site is not logging the requests anywhere! Or his hosting, or possible his and your ISP and all ISP in between if this checker is in http instead https. And people able to buy forged SSL certs for MITM attacks even if it is https. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Chick on June 20, 2011, 01:00:54 AM My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now! You are using http://howsecureismypassword.net/ and entering your password there? Let's keep finger crossed the admin of that site is not logging the requests anywhere! Or his hosting, or possible his and your ISP and all ISP in between if this checker is in http instead https. And people able to buy forged SSL certs for MITM attacks even if it is https. Chill, its all server-side. Look at the js. :) Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: martinw79 on June 20, 2011, 01:03:34 AM It would take
About 14 sextillion years for a desktop PC to crack your password lol, sexy... Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: TurboK on June 20, 2011, 01:15:54 AM Does anyone with perhaps a hair more experience than myself recognize the format of these hashes? I can recognize base 64 encoded fields with "$" as a delimiter easily enough, but I haven't taken the time to explicitly generate various hashes from my known password, b64 encode them and compare the results. I can do this later today if I've got the time but I'm kind of hoping that someone else already has :) Input the salt and the password here and check under md5(unix).The above exercise, if nothing matches, could also prove whether Mt. Gox was actually salting their hashes, which seems doubtful looking at the CSV. Really though I'm with speeder, let's at least identify enough people and their signup dates in this list to imply some good network growth numbers that we might otherwise not have access to. http://www.insidepro.com/hashes.php?lang=eng the format in the csv is $1$salt$password. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Nescio on June 20, 2011, 01:20:32 AM Yeah that's smart, going to some website to check your password LOL. You can bet your ass some people will have referrers pointing back to here and the site will connect the dots, find the password file, tie hash to entered pass, look up email address in file, hack mail and fish for balance when Mt.Gox comes back.
Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: saqwe on June 20, 2011, 01:29:16 AM Incorrect. The amount of time it takes is related to the complexity of the password. "monkey" will be found in seconds, but something like "efweug#%_#Tsafwef24g" will take years. Wow, glad I changed my password to "efweug#%_#Tsafwef24g" just 2 days ago! hehe 12390ßqweuio789456 was mine Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Samantha2011 on June 20, 2011, 01:37:55 AM My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now! You are using http://howsecureismypassword.net/ and entering your password there? Let's keep finger crossed the admin of that site is not logging the requests anywhere! Or his hosting, or possible his and your ISP and all ISP in between if this checker is in http instead https. And people able to buy forged SSL certs for MITM attacks even if it is https. Why would you enter your actual passwords into it anyway? At least use a substitution cipher on your password. And if that enhances the security of your password because it contains dictionary words, you're just an idiot. :P Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: semarjt on June 20, 2011, 01:57:15 AM Isn't it ironic that bitcoin mining is essentially also cracking a hash? No, because that is not at all what bitcoin mining is. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: haydent on June 20, 2011, 02:16:59 AM Quote [Update - 2:06 GMT] What we know and what is being done. It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked. Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password. We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified. Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT. When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password. https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: JonathanHiggins on June 20, 2011, 02:36:02 AM Is it possible to get the list of names etc in alphabetical order?
Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNTS CSV Post by: Quantumplation on June 20, 2011, 02:57:14 AM If they cant get the passwords because they're hashed, then... ummm, how did they do it? What do you think Bitcoin miners are doing? Cracking hashes. What do you think the passwords are protected with? Hashes. So it's easy to crack hashes passwords, takes a few minutes per password, as long as it takes to crack a new Bitcoin block (about 10 minutes) is how long it takes to crack a hashed password. That's not quite accurate. Miners are tweaking one value in a block of data in order to find any password WITHIN THE DIFFICULTY. Finding a hash that is lower than a set value is far easier than finding a very specific existing password. Essentially, cracking the password would be solving the highest difficulty block possible. (Also, Miners are working on SHA256, much harder to crack than simple MD5...) Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: haydent on June 20, 2011, 02:57:43 AM Quote Is it possible to get the list of names etc in alphabetical order? just import said csv into spreadsheet program and sort that column Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Chick on June 20, 2011, 03:42:53 AM LOL @ someone messaging me and wanting this removed. Even if this thread was removed, the file has already been leaked.
If it's out there, you might as well let it be. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: finnthecelt on June 20, 2011, 03:54:25 AM I hope you guys are interested in buying Viagra and increasing the size of your penis. Now that's funny shit. I don't care who you are!!!! Already spammed from a Tradehill promoter. Thrice!!! Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: F104 on June 20, 2011, 04:38:01 AM on this site you can create your md5 hash if you are not sure which pw you used or just want to check if it is in there: http://www.insidepro.com/hashes.php?lang=eng newer hash starting with $1$: enter password and salt. you will find your hash at "MD5(Unix)" salt is between the second and the third $ character: $1$/gKxns/A$42b18btDR4VVUJR8hOEqW0 hash goes after the third $ character: $1$/gKxns/A$42b18btDR4VVUJR8hOEqW0 I am in not affiliated in any way with the site and can not tell if they are trustworthy. So only check if your password is weak or you have changed it everywhere else. When the Gox problems first came up a few days ago I went in and changed my password. They have the *new* password. I have $4.65 in Gox and the new password is unique to Gox. It feels spooky but I guessed I dodged a bullet...unless the hoodlums have more info Gox isn't talking about. Thanks for posting that link. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: F104 on June 20, 2011, 04:48:00 AM Quote It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked. No, you weren’t hacked, you employed people with as much responsibility, professionalism, and sense of duty as you: none. It makes it OK that it was "someone else" and not you? Earlier you blamed each victimized user even as the complaints mounted. Gox' character seems at the level of an immature 12 year old. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: bigfoot on June 20, 2011, 04:51:27 AM on this site you can create your md5 hash if you are not sure which pw you used or just want to check if it is in there: http://www.insidepro.com/hashes.php?lang=eng newer hash starting with $1$: enter password and salt. you will find your hash at "MD5(Unix)" salt is between the second and the third $ character: $1$/gKxns/A$42b18btDR4VVUJR8hOEqW0 hash goes after the third $ character: $1$/gKxns/A$42b18btDR4VVUJR8hOEqW0 I am in not affiliated in any way with the site and can not tell if they are trustworthy. So only check if your password is weak or you have changed it everywhere else. When the Gox problems first came up a few days ago I went in and changed my password. They have the *new* password. I have $4.65 in Gox and the new password is unique to Gox. It feels spooky but I guessed I dodged a bullet...unless the hoodlums have more info Gox isn't talking about. Thanks for posting that link. The link was very helpful. Now I know what password that was stolen. It appears that this data was recent within the past few days because I changed my pass last week. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: F104 on June 20, 2011, 04:57:06 AM I changed my password around 8:30PM USA west coast time June 16, so it was after that they got the data.
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: bigfoot on June 20, 2011, 05:02:02 AM I changed my password around 8:30PM USA west coast time June 16, so it was after that they got the data. That puts its between Sunday the 12th and 16th that the data was stolen. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: NO_SLAVE on June 20, 2011, 05:12:08 AM ..... password hack - About 717 quattuorvigintillion years
paranoid - Yes Just because they really are out to get you doesn't mean you aren't paranoid. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: andes on June 20, 2011, 05:22:14 AM I hope you guys are interested in buying Viagra and increasing the size of your penis. Ha ha, yes, brace for spam impact! Especially watch out for Bitcoin email scams in the future. This email database guarantees a high percentage of obsessed people within a narrow theme. Any scammer would be delighted to receive such a valuable file CSV file.Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: F104 on June 20, 2011, 05:26:06 AM I changed my password around 8:30PM USA west coast time June 16, so it was after that they got the data. http://blog.zorinaq.com/?e=55 says "...Contrary to previous claims from the MtGox owner, this indicates that many accounts had been compromised for at least days, if not weeks, before today's attack. This may explain some of the reports of Bitcoins being stolen from MtGox accounts in the previous days and weeks, as reported on the forums." Something doesn't add up. My password on the posted .csv was created on the evening of June 16 west coast time. If blog.zorinaq.com is correct, then there were at least two separate seizures or losses of user lists from Gox, the first being long before Friday's release. What am I missing? I am not the smartest rock in the forest. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: F104 on June 20, 2011, 05:28:05 AM I changed my password around 8:30PM USA west coast time June 16, so it was after that they got the data. That puts its between Sunday the 12th and 16th that the data was stolen. It couldn't have been before the 16th because I made up the password in the .csv on the 16th. In post #75 above we have a link to a hash generator. I checked my "before" and "after" passwords. The hash in the .csv represents my "after" password, i.e., I created it at 8:30PM USA west coast time on the 16th. The data loss could not have occurred before then, my new password didn't exist. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Superform on June 20, 2011, 05:29:41 AM i woke up this morning to see my email account was taken over.. everyone on that list should assume the passwords have been compromised - i have since retaken over my account
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: The Script on June 20, 2011, 06:11:48 AM i woke up this morning to see my email account was taken over.. everyone on that list should assume the passwords have been compromised - i have since retaken over my account I think someone tried to get into mine, which may mean my hashed password on the list was cracked? Gmail reported "suspicious activity" when I logged in this evening. You can be sure that I changed my password and that this will be prompting me to take a closer look at ALL my computer security protocols and settings. Perhaps this is a good wake up for the community, up til now a lot of people have not taken their bitcoin security very seriously. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: makomk on June 20, 2011, 09:08:41 AM http://blog.zorinaq.com/?e=55 says "...Contrary to previous claims from the MtGox owner, this indicates that many accounts had been compromised for at least days, if not weeks, before today's attack. This may explain some of the reports of Bitcoins being stolen from MtGox accounts in the previous days and weeks, as reported on the forums." Looks very much like there was some kind of ongoing compromise that caused the password list to be leaked on more than one occasion over a period of at least two days, yes. Probably more than that if we assume the attacker attempted to brute-force the passwords themselves before posting on that forum or offering them for sale. Something doesn't add up. My password on the posted .csv was created on the evening of June 16 west coast time. If blog.zorinaq.com is correct, then there were at least two separate seizures or losses of user lists from Gox, the first being long before Friday's release. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: sandos on June 20, 2011, 11:33:16 AM Salts should include something unique for the site! Im not sure this is the case here, it would alleviate the problem with re-using password-hashes between many sites.
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: gongcheng on June 20, 2011, 11:40:59 AM I couldn't believe it is real.
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: kjj on June 20, 2011, 12:53:25 PM Salts should include something unique for the site! Im not sure this is the case here, it would alleviate the problem with re-using password-hashes between many sites. Salts have been random for two months. That's even better than being unique to the site. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: BubbleBoy on June 20, 2011, 01:00:04 PM The salt should have a random part per user stored in the database and a static part per site stored in some include file.
The first part prevents massive parallelization, rainbow tables etc. The second part keeps the password secure when only the database is leaked (ex. a SQL injection that does not escalate to code execution). In the case of MtGox it wouldn't have helped since the read-only account probably had source access too. Extending this idea, email can be stored using reversible encryption. Thus a simple database leak is not sufficient to compromise all emails, you need local access to the source. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Karmicads on June 20, 2011, 01:04:35 PM Thout Shall NOT.... er... Said Moses descending MtGox, "I was lucky to escape in me jocks." "Your bitcoins are gorne," "But the good news is porn..." "...and Viagra spam's filling your inbox. " ::) Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: kjj on June 20, 2011, 01:11:36 PM The salt should have a random part per user stored in the database and a static part per site stored in some include file. The first part prevents massive parallelization, rainbow tables etc. The second part keeps the password secure when only the database is leaked (ex. a SQL injection that does not escalate to code execution). In the case of MtGox it wouldn't have helped since the read-only account probably had source access too. Extending this idea, email can be stored using reversible encryption. Thus a simple database leak is not sufficient to compromise all emails, you need local access to the source. If you think about it for a moment, I'm sure you will see that the static part is nearly useless. The random part changes the game from "break once, break everywhere" to "break once, break here only". That is huge. But, if an attacker can brute force two passwords with static salt, they then know the static salt, and it offers no more protection. The keyspace for the third attempt will have fallen back to the keyspace of the original password. That is a mere speedbump compared to the brick wall of the random salt. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: BubbleBoy on June 20, 2011, 01:17:49 PM If you take the time to read my post carefully you will see I've acknowledged that the static part does not improve protection against brute force. It ensures that to even attempt brute force, the attacker must have read access to the source, not just the database. That's a different class of attack, a significant speed-bump for the attacker from a layered security perspective.
Edit: Quote But, if an attacker can brute force two passwords with static salt, they then know the static salt, and it offers no more protection This seems to be the source of our quarrel. You seem to imply that the static salt can be inferred without reading the source. For a static salt that has enough entropy (128 bit), that should be impossible. Since this is selected once by the website owner, the condition is easy to meet. For example the MD5 and SHA1 based crypt algorithms can use a salt of any length. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Raulo on June 20, 2011, 01:18:52 PM The salted crypt() hashes are more difficult to crack but so far I have found 2706 out of 59236 passwords of the database by just one hour GPU dictionary-based cracking. It can be safe to assume that the attacker was able to crack similar number and could control thousands of accounts.
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: kjj on June 20, 2011, 01:34:28 PM If you take the time to read my post carefully you will see I've acknowledged that the static part does not improve protection against brute force. It ensures that to even attempt brute force, the attacker must have read access to the source, not just the database. That's a different class of attack, a significant speed-bump for the attacker from a layered security perspective. No, the attacker does not need the static extra secret. The brute force attack will reveal it right along with the password. All it does is make the first two attempts harder, possibly a lot harder. After that, it has no value. Title: Re: DOWNLOAD LINK FOR MTGOX COMPROMISED ACCOUNT CSV Post by: Karmicads on June 20, 2011, 01:57:44 PM It's amazing how small the market is really, just 60k people. wtf. You ain't seen nothin' yet brotha. Wait till you see how small it is in a couple of days. ;) Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: finnthecelt on June 20, 2011, 02:07:22 PM So has anyone discussed who in the HELL is this auditing company? How did they access Mt. Gox records? Do they have a database of these records off site? WTF?!?!
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: BubbleBoy on June 20, 2011, 02:16:00 PM If you take the time to read my post carefully you will see I've acknowledged that the static part does not improve protection against brute force. It ensures that to even attempt brute force, the attacker must have read access to the source, not just the database. That's a different class of attack, a significant speed-bump for the attacker from a layered security perspective. No, the attacker does not need the static extra secret. The brute force attack will reveal it right along with the password. All it does is make the first two attempts harder, possibly a lot harder. After that, it has no value. Maybe 2^128 harder, for a 128 bit static salt ? Therefore making the first two brutefoce attempts practically impossible ? Therefore requiring knowledge of the static salt stored in a source configuration file, in order to crack the hashes in the database ? Yes, that's precisely my point. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: manifold on June 20, 2011, 03:26:18 PM Well, I'm lucky... I never traded on mtgox AND I used a random password (only for mtgox...)... puh...
Does anyone know how fast such a passoword hash can be broken? Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: manifold on June 20, 2011, 03:34:46 PM I do not know if this is real or fake. However, this is an direct download link that I hosted. Please comment... http://bit.ly/kE3Q4D (http://bit.ly/kE3Q4D) [Edit: Holy shit, this is real. I found my email & password in the CSV. Shit just got real...] I cant believe that. This is completely against every privacy consideration that this file is openly distributed. And if someone used the password on multiple accounts, they get a really good kick in the ass to change them. Before that, you could make yourself believe, that your password doesn't need to be changed. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Chick on June 20, 2011, 05:48:57 PM Why do you keep the file up? So more hackers can try to crack the password and steal everything? To make our emails more public then they are now? If hackers want this list, they will find their way to it elsewhere. There's no stopping them with removing the link. I believe that this shouldn't be kept secret, it is a P2P currency. :P Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: myrkul on June 20, 2011, 05:54:12 PM Why do you keep the file up? So more hackers can try to crack the password and steal everything? To make our emails more public then they are now? If hackers want this list, they will find their way to it elsewhere. There's no stopping them with removing the link. I believe that this shouldn't be kept secret, it is a P2P currency. :P Srsly. Here, let me illustrate: OMG! All my horses have escaped! Why is the barn door still open?!? Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Chick on June 20, 2011, 05:55:54 PM Why do you keep the file up? So more hackers can try to crack the password and steal everything? To make our emails more public then they are now? If hackers want this list, they will find their way to it elsewhere. There's no stopping them with removing the link. I believe that this shouldn't be kept secret, it is a P2P currency. :P Srsly. Here, let me illustrate: OMG! All my horses have escaped! Why is the barn door still open?!? To freshen the air, of course. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Montpelerin on June 20, 2011, 06:05:38 PM Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...
Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Chick on June 20, 2011, 06:07:09 PM Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess... Google got the list and got all gmail accounts to reset their password. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: myrkul on June 20, 2011, 06:14:52 PM Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess... Google got the list and got all gmail accounts to reset their password. Is that confirmed? I had to reset mine, but I just figured my MtGox password was cracked. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Chick on June 20, 2011, 06:15:47 PM Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess... Google got the list and got all gmail accounts to reset their password. Is that confirmed? I had to reset mine, but I just figured my MtGox password was cracked. http://forum.bitcoin.org/index.php?topic=19641.msg245983#msg245983 Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: phelix on June 20, 2011, 06:33:04 PM This information is important. first I thought this was spam. but now that I watch the show... the show is OK but what really is hilarious is the chatroom ;DI'm just trying to get it out to everyone as quickly as possible. Sorry if I'm repeating myself, but there are so many threads on this same topic.. I don't want anyone to miss it. Today at 2pm ET we'll be interviewing LIVE.... the man behind the $5,000,000 trade.... ... The man who bought the Bitcoin at $0.01 each.... Then later this evening, at 10pm ET, we will have Mark Karpeles, the owner of MtGox... personally ... LIVE ... to answer all of your questions in the Chatroom. Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: myrkul on June 20, 2011, 06:35:46 PM Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess... Google got the list and got all gmail accounts to reset their password. Is that confirmed? I had to reset mine, but I just figured my MtGox password was cracked. http://forum.bitcoin.org/index.php?topic=19641.msg245983#msg245983 Awesome. Google living up to their motto. On a related note, My spam has not increased significantly. I did get the tradehill spam twice, though the second one was filtered. I think I have gotten one that can be directly attributed to the list leak: A financial services offer (Really? Loans by email? who is that dumb?) Title: Re: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) Post by: Nescio on June 21, 2011, 03:30:35 AM Srsly. Here, let me illustrate: OMG! All my horses have escaped! Why is the barn door still open?!? Bad analogy. Correct analogy: OMG, all my horses have escaped and they had the combination to the safe tattooed on their back. Someone copied those numbers and it's in a few newspapers now. But thank god the barn door is closed and my horses are back inside, now I can sleep well again. Seriously? :) |