Bitcoin Forum

http://twitter.com/#!/kaepora/status/82552527555530752

https://uloadr.com/u/CF.txt

You know, I tried this too. But it takes AGES to crack the more unique ones. Gave up a few hours later...

Some of the members on that list deserved to hacked with those passwords they have :P

the snippet you cracked there is from the view simple md5() hashes in the leaked list only. you can't bruteforce a list of +59000 unix_md5() hashes with +59000 different salts within 2s.
also, the accounts for the hashes you cracked can be considered as dead. MtGox switched from simple md5() to unix md5() months ago. the simple md5() hashes are from accounts where no one logged in for months

In any case, those accounts are now known to be used by people who are unaware of the importance of having strong passwords. It's not unreasonable to think that the user whose password was "qwertyABC" is going to use a weak password again.

Here is a list of the first few thousand passwords.

http://pastebin.com/r3hYJYLa

The first 3000 are apparently using straight md5 with no salt, so they are fairly easy to crack

If you appear on that list, please take appropriate precaution.

"love" "sex" "secret" and "god" do not appear anywhere in those passwords. Hackers lied to me.

Although, can u use quotes in passwords because  "love""sex""secret"and"god" (alloneword) might be a good one to use...lol.

So what? If the old account actually comes back, then their new (weak) password will be protected by the improved code and much harder to crack. No online site is able to stop dummies from using a lame password.

Did Mt Gox go down because they haxxored the Gibson?  I bet the hacker used PCI.

Odd.  That appears to be 361 passwords, out of the roughly 1700 that were unsalted.  That is an order of magnitude away from your claim of 3000, but let us put that aside for the moment.

The more interesting thing is that roughly 80% of the weakly hashed passwords have not yet been cracked, even in today's world of giant rainbow tables and precomputed MD5 databases.

Meant first 3000 usernames.

I saw one guy in the list who used ' assrape '.

A lot of these people may have signed up just to see the user interface and used a really weak password that they'll remember even if they don't come back to the site for ages, like 123456. I do that a lot. Hopefully they don't do that on sites with personal information or finances!

I'm one of those easy pickings, in a an account I don't use for ages (and actually had forgot the username, so I opened another one later on).
Lucky me, my ex-girlfriend managed to hack an old email account where I used the same weak password. Just when you believe there's no use for ex-girlfriends, uh?  ;D

If your password is a non-dictionary string of seemingly random alphanumerics, how is it possible that someone could brute force your hash into a password? Arent there a great number of alphanumeric strings that can be hashed into a given hash?

I've not read through all the various threads to see if this has been posted here before, but I imagine that users of this forum would be capable of doing this:

http://mytechencounters.wordpress.com/2011/04/03/gpu-password-cracking-crack-a-windows-password-using-a-graphic-card/

"Gabushim:masterhacker"

looooooooool

masterhackered! xD

"jasper:jasper"

Come on Jasper get it together!

yeah fuck you jasper

another mtgox-spam(twice):
From: Jasper <Jasper@gmail.com>


Hello,

I've found an aweomse opportunity to invest our bitcoin safely.
Based on a HYIP concept BitHyip offer upto 150% in return after 5 days.

They also provide a daily profit plan !

Please use my referal link to signup.
Email me back and i will send my referal bonus to you !

http://www.bithyip.com/?ref=jasper

Talk to your friends about this awesome news !

Jasper.
 

Phishing now:

FROM: contact@bitcoin-mining-accelerator.com

Hi there, we'd like to invite you to be a beta tester of our awesome new Bitcoin Mining Accelerator program called "Coin Miner".


We have been keeping it under wraps developing it for the past few months and are ready to get people to test it out.
Basically how it works is that it automatically safely software overclocks your GPU to a stable level for optimum mining performance.
This way you don't have to fiddle with BIOS overclocks, MSI Afterburner or any other overclocking software - this does it automatically on the fly.


We are currently achieving around a 23% increase in Mhash/s mining speed. Some users have seen even higher gains.

(...phishing url follows in the content...)

EDIT: How about we create a "My Email was at MtGox's Database Club" at Facebook for exchange spam?...  ::)

Meanwhile, hacking attempt @ BCM from someone using a Tor exit node

I would look to this http://forum.bitcoin.org/index.php?topic=24437.0 for updates on that specific email.  Interesting stuff.

Is there anyway to arrange those words that doesn't come out sounding like a Monster Magnet lyric?

But the url is formatted as:

<a href="something else.org">http://www.Bitcoin-Mining-Accelerator.com</a>

So we've a phishing scam about a software scam... 2-in-1... WTG!