Bitcoin Forum

i have submitted only one ofcourse, but maybe because i didn't use a strong password for my account (10 characters and numbers, no upper case), it was probably hacked by people from the open database.

and now so many people are trying to claim my $1300 in my account, what should i do to prove myself among 8 people?!

Holy crap, try sending them id, I'd contact them asap.

That's a tough one.  I'd say leave a ticket on the support address https://support.mtgox.com/anonymous_requests/new (https://support.mtgox.com/anonymous_requests/new) and hope for the best.

If you read the various updates at the MtGox support site, plus some emails that people posted on the forums here, as I recall you'll see them mention they may ask you about previous transactions or your balance.  Therefore it's not wise to tell everybody here you have $XYZ in your account, if anyone here might be able to guess your MtGox userid from your forum userid !

Perhaps you should edit your post to remove specifics about the length and type of password you used, too, because those things might not be visible to someone looking at just the hashed & salted user & password list, even though it was leaked webwide.

(Once something's hashed, its length & other qualities can be completely obscured.  However, MtGox implied they could determine the strength of the old passwords, which is a little perplexing unless they stored additional information beyond hashes or actually bothered to try cracking each one themselves.  I haven't seen the leaked document so can't comment further on what's in it.)

In any event, you could try preemptively contacting MtGox directly saying whatever you can remember about your account, when you opened it, what transactions you did, what your balance was, what IP address or ISP you use...  That's your best and maybe only way to show you're the rightful owner.

You have to type your old password to reclaim your account.  The password you enter has to match the one that formed the hash.  Most likely, they inspect the password for complexity when you send it to the reclaim form.

I would say you are not the only one to receive an email like that one. I also bet a lot of people didn't keep good enough records to prove ownership of the accounts.

By the way, did you check the file for your account info?  Did your password hash start with $1$?

$1$ doesn't help. FreeBSD MD5 doesn't protect weak passwords.
With a simple dictionary attack, I cracked more than 500 passwords in one blow.
Total amount of cracked passwords I got so far are now over 2000.

What is the longest so far?

@calista

can u please copynpaste the email? of cause after deleting important information! I wanna see a proof.

Maybe u can give a thank to bananaphone, possible that he's one of the other 7 competitors of your account.

When the csv was released I was interested in what kind of passwords people used for 'financial' institutions.  This is what I got:

$ for i in `cat .john/john.pot | cut -d : -f 2` ; do echo ${#i} ; done | sort | uniq -c
     98 10
     36 11
     46 12
      4 13
      4 14
      5 15
      1 4
    111 5
    864 6
    454 7
    640 8
    182 9


5 15 char passwords.

Nice.  How about the longest including at least one digit?

You can copy a credit card or government ID to send them, but then you run the risk that the people currently in charge of mtgox are not the original owners or that there communication system is not secure.

5 15 char? I wonder how many of those were English words.

There were 3 at 15, all of them were variants of their email address and/or username (or combination)

And conversely, all 4 of the 14 char passwords were also variants of username/email address/domain.  Same with both 13 char passwords.

I'd wager most of the 2500 or so passwords cracked were variants of the email/username/domain.  I think there is a pretty important lesson there.

Namely, don't trust sites that "encrypt" your password with MD5 or anything similar? Don't trust sites that do not understand the fundamentals of encryption?

Read this (http://codahale.com/how-to-safely-store-a-password/). Bear in mind that the $2000 CUDA systems he's referring to are the same sorts of systems that are described in the BTC mining threads.

Then consider how much having a "strong" password, by any definition of "strong" you'd like, would save you under those circumstances.

What is pretty spooky is how quick the hacking sites were to crack post passwords 8 digits and more. It just takes something like this for me to review every non-inconsequential site I use for password length and uniqueness.

What email address did you use to register? If it's an email address that was offered to you through a trusted internet service provider, ask them if it would be sufficient to provide contract details, maybe a copy of an identity card. There are still many ways to authenticate yourself.

Just claim again and add additional information like previous deposit methods/withdrawal methods and transaction details from your banking/ewallet.

That will suffice since its next to impossible that potential hacker could have those details aswell.

Even if they used 4096 bit encryption, if your email address is awesomedude@vanitydomain.com, and your password is 4w3s0m3dud3v4n1tyd0m41n, it will take any semi-intelligent cracking system (like john) a few minutes to guess.  A 23 char password will be impossible to brute force, but if it is a variant on your name, there is a good chance to crack it in minutes rather than the expected lifetime of the sun.

I got rejected the first time, but I had only given them one piece of info, and I think I may have gotten that wrong.... doesn't pay to do imprtant things when hungover :)

I applied again, and added:
bank name that I withdrew funds to
the amount of the last withdrawal
an estimated amount of what is still in my account.... I couldn't remember exactly what was in there

I stuck that info in the part where you have to put in the bank name that you withdraw funds to.

I got an email just an hour after submitting that, accepting my application :)

I got my account back on the first try.

Took about 50 hours from request to confirmation.

I told them about my balance, details of my trading activity, the IPs I used the last days and my (pretty strong) password.

My first try was rejected. I only provided my IP address and my password because I figured my password was complex enough (uppercase, lowercase, digits and quite long) but evidently not. On the second try I got kinda frustrated and provided heaps of info, it worked.