|
Title: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: warsmith on June 19, 2011, 08:18:33 PM How do you think the released passwords for MtGox accounts will impact the BTC price? Personally, I think it will drive the price down, because of the bad publicity related with such leaks.
P.s. http://www.megaupload.com/?d=XHMMAIU8 <- The file with the accounts and hashed (maybe salted too?) passwords. Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: Goldenmaw on June 19, 2011, 08:23:15 PM Would somebody scan that thing on a computer isolated from sensitive bitcoin related material?
Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: Bit_Happy on June 19, 2011, 08:23:37 PM It will be hard to have prices actually fall to $1 (for example) since there is so much money to be made on bear market rallies. Eventually the (temporary) massive over-supply of BTC will win out and we could see prices in the $1 to $4 range, IMO. The story continues, stay tuned...
Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: warsmith on June 19, 2011, 08:28:14 PM Would somebody scan that thing on a computer isolated from sensitive bitcoin related material? Dude, treat it as a plain text *.TXT.... Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: Goldenmaw on June 19, 2011, 08:32:43 PM No offense to you personally warsmith, but paranoia pays around these parts.
Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: warsmith on June 19, 2011, 08:34:55 PM No offense to you personally warsmith, but paranoia pays around these parts. None taken. It would destroy the thread and the user's browsers if I'd pasted the whole 3mb text file as a reply. Anyway. I hope everyone changes the password asap when it comes back online. Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: ploum on June 19, 2011, 08:39:09 PM It means a lot of questions. I've asked some of them here:
http://thebitcoinsun.com/post/2011/06/19/Huge-crash-and-compromized-datas-on-MtGox But I don't have answers yet. (be welcome to comment on the article page) Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: EricSU on June 19, 2011, 08:44:35 PM I just received this email from mtgox.
Quote Dear Mt.Gox user, Our database has been compromised, including your email. We are working on a quick resolution and to begin with, your password has been disabled as a security measure (and you will need to reset it to login again on Mt.Gox). If you were using the same password on Mt.Gox and other places (email, etc), you should change this password as soon as possible. For more details, please see this: https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback The informations there will be updated as our investigation progresses. Please accept our apologies for the troubles caused, and be certain we will do everything we can to keep the funds entrusted with us as secure as possible. The leaked data includes the following: - Account number - Account login - Email address - Encrypted password While the password is encrypted, it is possible to bruteforce most passwords with time, and it is likely bad people are working on this right now. Any unauthorized access done to any account you own (email, mtgox, etc) should be reported to the appropriate authorities in your country. Thanks, The Mt.Gox team Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: DukeOfEarl on June 19, 2011, 08:49:58 PM I just received this email from mtgox. I haven't gotten mine yet, but I like that they at least own up to it. Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: dinzy on June 19, 2011, 08:54:01 PM I can confirm my username and email are on the list. Damn.
Is everyone going to open up a tradehill account and crash that market ( the server, not price) as soon as they get in? Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: Clipse on June 19, 2011, 08:55:48 PM Im confused, didnt get any email and Im a fairly bigtime trader o_0
Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: warsmith on June 19, 2011, 08:55:56 PM no comment about the salt though
Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: dev^ on June 19, 2011, 09:00:32 PM What might happen with those users who didn't enter an email address? (including me...)
How can they log in again, if all passwords were resetted? :-\ Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: warsmith on June 19, 2011, 09:03:28 PM What might happen with those users who didn't enter an email address? (including me...) How can they log in again, if all passwords were resetted? :-\ Perhaps they didn't reset all of them? Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: TurboK on June 19, 2011, 09:04:19 PM I looked at that password list. Only around 1800 passwords were kept in regular md5, those are piss easy to crack (see http://www.md5decrypter.co.uk/ if you don't have a rainbow table setup already). The other 60000 were using some other format I did not recognize, though possibly by my own fault... they remind me of Wordpress passwords. It's probably some combined multiple md5 + hash, so I'd think that they are difficult if not impossible to crack, especially if you used a password that is long enough with a wide enough character set.
The danger for password reuse is very real though. It is in theory possible to find a less secure password from some site you signed up to, recover the password from there, and use it at mtgox with your username. So if you use the same password at mtgox or anywhere else, you'll NEED to change passwords. Otherwise you are fairly safe, provided your account is not one of those with regular md5 hashes (the ones not starting with $1$whatever are regular md5s). Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: dev^ on June 19, 2011, 09:11:39 PM What might happen with those users who didn't enter an email address? (including me...) How can they log in again, if all passwords were resetted? :-\ Perhaps they didn't reset all of them? I hope so... Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: Tolsi on June 19, 2011, 09:18:48 PM where is user of number 51190 in the file?!
Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: digimag on June 19, 2011, 09:24:57 PM No offense to you personally warsmith, but paranoia pays around these parts. None taken. It would destroy the thread and the user's browsers if I'd pasted the whole 3mb text file as a reply. Anyway. I hope everyone changes the password asap when it comes back online. Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: bcpokey on June 19, 2011, 09:28:03 PM Quote UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. I'm not sure what their definition of simple is. I can't remember if I used an email addy on mtgox, and if I didn't my password was pretty complex, so hopefully I can get in and get mah moniez. Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: bustaballs on June 19, 2011, 09:37:36 PM I submitted my first coin to mtgox last night and now it's saying my account doesn't exist. I hope I get my account and my 1 BTC back.
Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: icaci on June 19, 2011, 09:54:08 PM I looked at that password list. Only around 1800 passwords were kept in regular md5, those are piss easy to crack (see http://www.md5decrypter.co.uk/ if you don't have a rainbow table setup already). The other 60000 were using some other format I did not recognize, though possibly by my own fault... they remind me of Wordpress passwords. It's probably some combined multiple md5 + hash, so I'd think that they are difficult if not impossible to crack, especially if you used a password that is long enough with a wide enough character set. $1$salt$hash is the standard FreeBSD MD5-based crypt() format. It was first developed for FreeBSD back in the days when export of DES code outside USA was forbidden. Then all major Unix variants switched to using it as it is much more secure than the original Unix DES-based crypt() and allows passwords longer than 8 symbols. It employs fixed number of salted MD5 rounds and is considered fairly secure given that lots of special symbols and combination of upper and lowercase letters are used. There is another Blowfish-based variant from OpenBSD that is clearly recognisable by the $2$ sentinel. It is much stronger as it takes a lot more CPU/GPU power to compute it compared to the MD5-based one.The danger for password reuse is very real though. It is in theory possible to find a less secure password from some site you signed up to, recover the password from there, and use it at mtgox with your username. So if you use the same password at mtgox or anywhere else, you'll NEED to change passwords. Otherwise you are fairly safe, provided your account is not one of those with regular md5 hashes (the ones not starting with $1$whatever are regular md5s). Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: Bit_Happy on June 19, 2011, 10:20:29 PM I submitted my first coin to mtgox last night and now it's saying my account doesn't exist. I hope I get my account and my 1 BTC back. The site is down, don't worry. Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: TurboK on June 19, 2011, 10:37:50 PM I looked at that password list. Only around 1800 passwords were kept in regular md5, those are piss easy to crack (see http://www.md5decrypter.co.uk/ if you don't have a rainbow table setup already). The other 60000 were using some other format I did not recognize, though possibly by my own fault... they remind me of Wordpress passwords. It's probably some combined multiple md5 + hash, so I'd think that they are difficult if not impossible to crack, especially if you used a password that is long enough with a wide enough character set. $1$salt$hash is the standard FreeBSD MD5-based crypt() format. It was first developed for FreeBSD back in the days when export of DES code outside USA was forbidden. Then all major Unix variants switched to using it as it is much more secure than the original Unix DES-based crypt() and allows passwords longer than 8 symbols. It employs fixed number of salted MD5 rounds and is considered fairly secure given that lots of special symbols and combination of upper and lowercase letters are used. There is another Blowfish-based variant from OpenBSD that is clearly recognizable by the $2$ sentinel. It is much stronger as it takes a lot more CPU/GPU power to compute it compared to the MD5-based one.The danger for password reuse is very real though. It is in theory possible to find a less secure password from some site you signed up to, recover the password from there, and use it at mtgox with your username. So if you use the same password at mtgox or anywhere else, you'll NEED to change passwords. Otherwise you are fairly safe, provided your account is not one of those with regular md5 hashes (the ones not starting with $1$whatever are regular md5s). So, the $1$salt$ part is the salt, and it is computed (roughly) by salt + password = hash, then hash + salt + password = hash 2, and so on, repeating 1000 times, and the result is then encoded into a unix DES hash? Doesn't sound too safe, since the salt is known, but I guess it means that bruteforcing takes, theoretically, 1000 times longer. This should knock off 2-3 letters from the length of password that is still viable to bruteforce. But it's true that even if someone cracks just 1 account with a weak password, they can get a killing. The irony is, if someone has the processing power to bruteforce the majority of these passwords, they could already get money just by mining bitcoins. Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: Philj on June 19, 2011, 10:52:32 PM Checked, and mine was on the list :'(
Went and changed other accounts even though the exact same PW wasn't used it was based on an algorithm. Lets hope this doesn't totally crash the market when things come back on line. Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: frutza on June 19, 2011, 10:57:08 PM Usernames and emails were released, indeed. Passwords were NOT, only the hashes.
Weak passwords can be obtained from the hashes. Strong ones - not really, it's kind of hard ;D My two BTcents: login to your account as soon as you can and change your password to something resembling a bitcoin address. That should be hard enough to get from it's hash :) Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: frutza on June 19, 2011, 11:01:33 PM Oh, and expect some spam emails in the future! Maybe nigerian letters involving bitcoins?
Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: TurboK on June 19, 2011, 11:07:16 PM Oh, and expect some spam emails in the future! Maybe nigerian letters involving bitcoins? greetings i am a Nigerian emperor and it appears that you are entitled to a part of my sacred golden lamb flock!! plese send me your name, address and secuirty of social number and i will have my unics contact you tomorw or at your best convience! -Jalathalqualruaumqama Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: Justsomeforumuser on June 19, 2011, 11:11:53 PM There really isn't anything I could say or repeat on this subject that comes as close as what reality is doing to people right now.
Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: chungenhung on June 20, 2011, 12:44:44 AM and i bet there will be people switching their BTC mining operation to password cracking operation.
Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: chadqberry on June 20, 2011, 12:59:03 AM The emails are already flooding.. MtGox scams to trick you into installing a new bitcoin client (which is infected) as well as some lame @ss trying to get you to register at Tradehill using his referral number.
Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: jgraham on June 20, 2011, 03:54:15 AM Usernames and emails were released, indeed. Passwords were NOT, only the hashes. Weak passwords can be obtained from the hashes. Strong ones - not really, it's kind of hard ;D Just ran oclHashcat on my hash and the 6990 gave an estimate of 100 years (both cores). Not feeling so bad about that. Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: frutza on June 20, 2011, 05:46:56 AM Not bad, but what about those mining ops who have hundreds of cards? What if THEY turn to cracking? ;D
Hail the emperor above!!! Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: frutza on June 20, 2011, 05:48:31 AM Why won't you guys save the time, electricity and cracking/spamming effort, and send me all your bitcoins now? Oops, forgot I don't have an address in my signature...
Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: unixdude on June 20, 2011, 06:04:51 AM It will impact them and for the worst. It highlights the fact that the exchanges are not secure and until they are, they should not be used or used with extreme caution.
Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: Grant on June 20, 2011, 06:07:16 AM It highlights the fact that the exchanges are not secure and until they are, they should not be used or used with extreme caution. I'm afraid extreme caution will be the result here, consequently that means: higher spreads, lower liquidity, lower price. Until confidence is restored. Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: hugolp on June 20, 2011, 06:13:33 AM It highlights the fact that the exchanges are not secure and until they are, they should not be used or used with extreme caution. I'm afraid extreme caution will be the result here, consequently that means: higher spreads, lower liquidity, lower price. Until confidence is restored. Trading websites have been hacked. They have reverted the trades, and nothing big has happened. I dont see why it would be very different in this case. Hopefully this will make people go towards more serious exchanges. Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: klayus on June 20, 2011, 06:46:09 AM I've got a problem. my account was on the list but when i try to login to change my password it says the account dosent exist. did that happen to everyone or just me? have I lost my bitcoins???
best regards Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: imperi on June 20, 2011, 06:48:01 AM I've got a problem. my account was on the list but when i try to login to change my password it says the account dosent exist. did that happen to everyone or just me? have I lost my bitcoins??? best regards You can't login yet. I think you are referring to the help forum which is a separate registration, I think. Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: LokeRundt on June 20, 2011, 12:10:58 PM Quote from: Lameass Dear Sir or Madam, A few hours ago the Bitcoin trading website Mt Gox has been hacked. Malicious individuals have been able to obtain a database containing usernames, email address and encrypted passwords. This information has been posted publicly on the internet. As a Bitcoin supporter I'm now sending a message to every email address contained in the hacked database. This is to warn you that your username, email address and password have been leaked. I therefore strongly advice you to change your passwords. If you have used the same passwo ???rd on different websites it's highly recommended to change your password on all of your accounts! For a more secure alternative to Mt Gox, the community appears to be moving to TradeHill. So this is no reason to lose faith in Bitcoin itself. It must be seen as a warning that not every website can be trusted with your data however! Their link is http://www.tradehill.com/?r=TH-R15683 (Note: You can remove the Referral Code when registering if you want!) This is certainly not the only website where you can exchange Bitcoins, also check out http://www.thebitcoinlist.com/dp_bitcoin/bitcoin-exchange/ Sincerely, A Bitcoin supporter 1CWSjov2N7ix41bZ8bJfHXkdLLbkUsG9Y7 So what I want to know is, how the fuck does this "sincere" bitcoin supporter get my email address? I had an account with Mt.Gox, but didn't even trade with them. Nm, didn't realize I had an active link to my email on this board. *le sigh* EDIT: But to further thicken the plot, in my account-related settings, the box labeled "Hide email address from public" is checked. . . .hmmmmmmmmmmm *navigates over to the meta subforum* Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: DukeOfEarl on June 20, 2011, 01:22:09 PM where is user of number 51190 in the file?! This is the most brilliant insight I've read so far. The hacker likely had a login on mtgox and probably deleted themselves before release. That said, 51190 is in there: 51190 tgibbsz32 tgibbsz32@gmail.com $1$9eZ.kSvA$fshZ6R1jkNtlllW10Sxpp/ Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: deuxmill on June 20, 2011, 01:23:11 PM When i tried to login to my gmail account today i had to change the password because there was some suspicious activity :). Guess they tried to login using the password from mtgox.
Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: cronopio on June 20, 2011, 01:54:28 PM When i tried to login to my gmail account today i had to change the password because there was some suspicious activity :). Guess they tried to login using the password from mtgox. Me too, I hear mtgox work with Google for report those suspicious activity. I change my password and dont problems even. Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: heavyb on June 20, 2011, 02:05:31 PM somehow my e wallet was hacked and .40 btc were sent to
1MAazCWMydsQB5ynYXqSGQDjNQMN3HFmEu named Electronic Frontier Foundation. Googling the name send me here http://www.eff.org/ Im thinking it is a cover, this group seems to be in support of online protection. Eff whoever is doing this hacking. Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: ColdHardMetal on June 20, 2011, 02:24:16 PM I looked at that password list. Only around 1800 passwords were kept in regular md5, those are piss easy to crack (see http://www.md5decrypter.co.uk/ if you don't have a rainbow table setup already). Otherwise you are fairly safe, provided your account is not one of those with regular md5 hashes (the ones not starting with $1$whatever are regular md5s). lol, that is so I wrong. I iz leet hax0r thanks to random interweb link! Title: Re: Mt.Gox Accounts and passwords released, impact to BTC econ Post by: jgraham on June 20, 2011, 05:12:55 PM Not bad, but what about those mining ops who have hundreds of cards? What if THEY turn to cracking? ;D Hail the emperor above!!! I actually thought about this. I took the top miners from various pools and compared their GHash rates to my own and figured that it scales linearly (it probably gets a better coefficient than I was giving it but I doubt it changes the order of the function). Which puts the estimate at ~ 4 years. That's assuming they are cracking my hash and only my hash (obvious the time increases by n for n hashes) . To worry about my password being cracked in one month (i.e. P=.02/day) I'd either have to get the attention of 48 of these folk who own >$10K worth of GPUs or postulate that there's some mysterious person who has half-a-million worth of modern GPU equipment. (and all other permutations therein). Probabilistically speaking I'd say I'm in the clear.......unless someone sics 天河 on me. |