Title: Mt. Gox Hack claims Post by: itsagas on June 19, 2011, 08:06:01 AM This is not me, just came across it on hacker news and thought we should know here.
" I have hacked into mtgox database. Got a huge number of logins password combos. Mtgox has fixed the problem now. Too late, cause I've already got the data. Will sell the database for the right price. Send your offers to: xxxxxxx@hotmail.com " http://news.ycombinator.com/item?id=2670302 http://pastebin.com/ui0nusuZ Title: Re: Mt. Gox Hack claims Post by: tito13kfm on June 19, 2011, 08:07:57 AM All great hackers use hotmail
Title: Re: Mt. Gox Hack claims Post by: iCEBREAKER on June 19, 2011, 09:06:29 AM This is not me, just came across it on hacker news and thought we should know here. " I have hacked into mtgox database. Got a huge number of logins password combos. Mtgox has fixed the problem now. Too late, cause I've already got the data. Will sell the database for the right price. Send your offers to: xxxxxxx@hotmail.com " http://news.ycombinator.com/item?id=2670302 http://pastebin.com/ui0nusuZ OMG, I want it! Where do I send my bitt-muneez? *changes mtgox pw* Title: Re: Mt. Gox Hack claims Post by: bitrebel on June 19, 2011, 09:20:56 AM I don't buy it...
and even if I did buy it..... and I certainly wouldn't pay for it in bitcoins! Title: Re: Mt. Gox Hack claims Post by: killer2021 on June 19, 2011, 09:25:56 AM regardless, I would change password. Just in case. Takes 1 minute.
Title: Re: Mt. Gox Hack claims Post by: triforcelink on June 19, 2011, 09:36:45 AM Seems appropriate http://forum.bitcoin.org/index.php?topic=19360.0 (http://forum.bitcoin.org/index.php?topic=19360.0)
Isn't it that even if they did manage to get a copy of the user database they would only find the password hashes and not the actual passwords? So if you had a secure password, there is probably nothing to worry about. Title: Re: Mt. Gox Hack claims Post by: moeman on June 19, 2011, 09:53:06 AM I had all the bitcoin I own taken from my account, around 12BTC. I think it may have been a brute-force attack.
Title: Re: Mt. Gox Hack claims Post by: MeSarah on June 19, 2011, 09:56:15 AM Yeah I would suggest changiing the password too. But I think the mtgox would use multi-round hashing to protect stupid people that use 'password' as a password.
I fear nothing! Say it. I fear nothing! Title: Re: Mt. Gox Hack claims Post by: triforcelink on June 19, 2011, 09:57:58 AM I had all the bitcoin I own taken from my account, around 12BTC. I think it may have been a brute-force attack. how strong was your password?Title: Re: Mt. Gox Hack claims Post by: Noise on June 19, 2011, 10:10:15 AM If you're using dictionary words - even if there's numbers & capital letters, there's a high chance your password will be found. Hybrid dictionary attacks process a shit ton of passwords/second regardless of how complex the md5 & salt equation is.
Title: Re: Mt. Gox Hack claims Post by: MeSarah on June 19, 2011, 10:35:00 AM Multi-round hashing is just a simple loop. For example:
$password = 'shortcut' .$salt; for($counter=0; $counter < $round; $counter++) { $hash = md5($password); $password = $hash; } Title: Re: Mt. Gox Hack claims Post by: hoo2jalu on June 19, 2011, 10:36:21 AM ... I think it may have been a brute-force attack. Unlikely unless you're sloppy. To prove the point, 10 bitcoin for each pass for any of these unsalted MD5s: 824cfad07c88261afb4dd3285627887a 73550477b12849b2a4dcd3b0db187415 3e567bcbb2aa5c28c47012b857bf6e48 3709fb6b0e1c0b26ff22a19ae92fd080 9133c451dd761d29943dcc653252e2fa ff111d6144367b4abd99aa4321b0a618 8602188ef5a05a13afc59c51b395426c da842aa7c84236d17a04098fa1273f2d Have fun! ;P EDIT: alphanumeric only. I'll pay legitimate finds or my name is mud! Title: Re: Mt. Gox Hack claims Post by: hlksis on June 19, 2011, 11:13:52 AM Password changed. (it had been a length of 50 and will now be as well :D)
To be honest I don't care if the account gets hacked since I don't have anything there. (the biggest job is to keep your wallet secure) Title: Re: Mt. Gox Hack claims Post by: SomeoneWeird on June 19, 2011, 03:59:26 PM ... I think it may have been a brute-force attack. Unlikely unless you're sloppy. To prove the point, 10 bitcoin for each pass for any of these unsalted MD5s: 824cfad07c88261afb4dd3285627887a 73550477b12849b2a4dcd3b0db187415 3e567bcbb2aa5c28c47012b857bf6e48 3709fb6b0e1c0b26ff22a19ae92fd080 9133c451dd761d29943dcc653252e2fa ff111d6144367b4abd99aa4321b0a618 8602188ef5a05a13afc59c51b395426c da842aa7c84236d17a04098fa1273f2d Have fun! ;P EDIT: alphanumeric only. I'll pay legitimate finds or my name is mud! Challenge accepted. Title: Re: Mt. Gox Hack claims Post by: Wreckus on June 19, 2011, 04:10:38 PM ... I think it may have been a brute-force attack. Unlikely unless you're sloppy. To prove the point, 10 bitcoin for each pass for any of these unsalted MD5s: 824cfad07c88261afb4dd3285627887a 73550477b12849b2a4dcd3b0db187415 3e567bcbb2aa5c28c47012b857bf6e48 3709fb6b0e1c0b26ff22a19ae92fd080 9133c451dd761d29943dcc653252e2fa ff111d6144367b4abd99aa4321b0a618 8602188ef5a05a13afc59c51b395426c da842aa7c84236d17a04098fa1273f2d Have fun! ;P EDIT: alphanumeric only. I'll pay legitimate finds or my name is mud! Challenge accepted. Rainbow tables exist for 10character alphanumeric... they're only ~320GB. Title: Re: Mt. Gox Hack claims Post by: Twiddle on June 19, 2011, 04:12:25 PM MagicalTux has already responded to these false claims via IRC:
Quote Code: 22:31 <kardus> MagicalTux; i'm hearing places someone is selling your database, might want to look into that Title: Re: Mt. Gox Hack claims Post by: SomeoneWeird on June 19, 2011, 04:17:13 PM ... I think it may have been a brute-force attack. Unlikely unless you're sloppy. To prove the point, 10 bitcoin for each pass for any of these unsalted MD5s: 824cfad07c88261afb4dd3285627887a 73550477b12849b2a4dcd3b0db187415 3e567bcbb2aa5c28c47012b857bf6e48 3709fb6b0e1c0b26ff22a19ae92fd080 9133c451dd761d29943dcc653252e2fa ff111d6144367b4abd99aa4321b0a618 8602188ef5a05a13afc59c51b395426c da842aa7c84236d17a04098fa1273f2d Have fun! ;P EDIT: alphanumeric only. I'll pay legitimate finds or my name is mud! Challenge accepted. Rainbow tables exist for 10character alphanumeric... they're only ~320GB. Exactly my point. Title: Re: Mt. Gox Hack claims Post by: finack on June 19, 2011, 05:12:18 PM MagicalTux has already responded to these false claims via IRC: While I'd agree that it seems likely the offer of the database for sale is a fake and just intended to shake confidence in Mt. Gox given all of the other activity that's going on, MagicalTux's response doesn't instill much confidence. In fact suggesting things like salted hashes would protect the passwords and no suspicious logins found sound exactly like the kinds of reports that come in early from actual intrusion victims. Most salted hash schemes in use won't protect people with weak to crack passwords, which will be about 99% of the users, and a SQL injection compromise which is by far the most likely approach wouldn't involve OS logins. The fact that there was a recently discovered CSRF hole lends credence to the idea that there could easily have been a SQLi. And while he may be playing dumb, he doesn't sound like he has the instrumentation in place that would even necessarily allow him to discover an intrusion like that after the fact, even if he knew what to look for. So while it's only smart for him to categorically deny any intrusion he doesn't have direct evidence of, and I'd still rate the HN post as much more likely to be fake than real, I'd still personally change my password all the same. Tux really couldn't give you that advice unless he'd already found and closed a flaw without tanking his business. Title: Re: Mt. Gox Hack claims Post by: DamienBlack on June 19, 2011, 05:27:14 PM ... I think it may have been a brute-force attack. Unlikely unless you're sloppy. To prove the point, 10 bitcoin for each pass for any of these unsalted MD5s: 824cfad07c88261afb4dd3285627887a 73550477b12849b2a4dcd3b0db187415 3e567bcbb2aa5c28c47012b857bf6e48 3709fb6b0e1c0b26ff22a19ae92fd080 9133c451dd761d29943dcc653252e2fa ff111d6144367b4abd99aa4321b0a618 8602188ef5a05a13afc59c51b395426c da842aa7c84236d17a04098fa1273f2d Have fun! ;P EDIT: alphanumeric only. I'll pay legitimate finds or my name is mud! Well they aren't in any rainbow tables, so they must be pretty long. Judging by the high reward on this, he probably used 15-20 characters. Enough that you might as well keep your computers mining bitcoins, it could be months even for a very powerful group of computers. Title: Re: Mt. Gox Hack claims Post by: elggawf on June 19, 2011, 05:41:51 PM Well they aren't in any rainbow tables, so they must be pretty long. Judging by the high reward on this, he probably used 15-20 characters. Enough that you might as well keep your computers mining bitcoins, it could be months even for a very powerful group of computers. Rainbow tables != reverse lookup tables. It's stupid as fuck banking on MD5 - either the plaintext for those hashes is really long and/or not actually alphanumeric, or he's going to be some 80BTC poorer in a couple weeks. If they really are <16 chars, unsalted and alphanumeric, I'd be willing to bet the 80BTC is probably worth more than what you'd spend on some Amazon EC2 instances to break it in a hurry... It's also stupid as fuck chaining multiple rounds of MD5 together, particularly without changing the salt each time. - I believe you actually make it weaker to rainbow table attacks by doing that... but I'm absolutely no expert in cryptography by any stretch of the imagination. Regardless, if there's any evidence at all that the DB is taken, assume the passwords are broken. Now where's the credible evidence the DB was taken? Title: Re: Mt. Gox Hack claims Post by: finack on June 19, 2011, 07:45:20 PM Regardless, if there's any evidence at all that the DB is taken, assume the passwords are broken. Now where's the credible evidence the DB was taken? Quote from: MtGox UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible. oops Title: Re: Mt. Gox Hack claims Post by: jhansen858 on June 19, 2011, 07:51:38 PM its a trick.. Those are the real passwords just happen to be the same length as a hashed password
Title: Re: Mt. Gox Hack claims Post by: zerokwel on June 19, 2011, 08:09:06 PM yep the DB was leaked and has been confirmed it has 61020 entrys with your username email address and a hashed password atlest the passwords where not plain text
Title: Re: Mt. Gox Hack claims Post by: hoo2jalu on June 19, 2011, 11:13:10 PM ... Unlikely unless you're sloppy. To prove the point, 10 bitcoin for each pass for any of these unsalted MD5s: 824cfad07c88261afb4dd3285627887a 73550477b12849b2a4dcd3b0db187415 3e567bcbb2aa5c28c47012b857bf6e48 3709fb6b0e1c0b26ff22a19ae92fd080 9133c451dd761d29943dcc653252e2fa ff111d6144367b4abd99aa4321b0a618 8602188ef5a05a13afc59c51b395426c da842aa7c84236d17a04098fa1273f2d ... Well they aren't in any rainbow tables, so they must be pretty long. Judging by the high reward on this, he probably used 15-20 characters. Enough that you might as well keep your computers mining bitcoins, it could be months even for a very powerful group of computers. 16 character alphanumeric. MD5 can be weak as snot, unsalted, and exposed via SQLi and I don't care. Don't be sloppy with password management! All of you re-using passwords between sites, re-using usernames and passwords between pools or miner accounts, re-using same email addresses across forums and exchange accounts, ALL OF YOU ARE ASKING TO GET PWNED! What will it take for this message to sink in? cracking the MtGox hashes shows the majority of you are still being lazy... Title: Re: Mt. Gox Hack claims Post by: elggawf on June 19, 2011, 11:17:14 PM oops Yeah, that'd do it. That information either wasn't posted, or hadn't caught my attention when I posted before - note there's 2 hours between my post and yours. ;) Title: Re: Mt. Gox Hack claims Post by: MikesMechanix on June 19, 2011, 11:33:37 PM Well they aren't in any rainbow tables, so they must be pretty long. Judging by the high reward on this, he probably used 15-20 characters. Enough that you might as well keep your computers mining bitcoins, it could be months even for a very powerful group of computers. Already at 10 characters alphanumeric, the possible number of combos is 839299365868340224. @5 Ghash/s, it would take over 5 years to go through them all, and each additional character multiplies the time by 62. Title: Re: Mt. Gox Hack claims Post by: ISA on June 19, 2011, 11:39:47 PM This is not me, just came across it on hacker news and thought we should know here. " I have hacked into mtgox database. Got a huge number of logins password combos. Mtgox has fixed the problem now. Too late, cause I've already got the data. Will sell the database for the right price. Send your offers to: xxxxxxx@hotmail.com " http://news.ycombinator.com/item?id=2670302 http://pastebin.com/ui0nusuZ Can I pay in Bitcoins? :) Title: Re: Mt. Gox Hack claims Post by: Grouver (BtcBalance) on June 19, 2011, 11:45:02 PM Solution to crappy password management
-Create a truecrypt masterkey file: with one sick ass long 50 char pass wich you will save in your mind. (http://www.truecrypt.org) -Create a bunch of txt files within in the mounted truecrypt dir with 0 untill 9 digits as filenames. So: 0.txt 1.txt 2.txt etc... -Put in each txt file a generated pass wich is 10 chars minimum. -Pick a number you like with 3 digits or more. -Paste each password in the #.txt file behind each other based on the 3 digit code you will remember. -Go to lastpass.com (www.lastpass.com) -Download tool. -Create account -Use masterkey as master password -For each website you register in the future... use a 20 digit pass you can generate with lastpass. -Make a list of all websites you think are important to change the pass. -Take an hour and change each pass and let lastpass generate one for you. -Put masterkey file on each hardrive/usb stick you got. -Done |