Bitcoin Forum

According to @sirus on Twitter:

"hacker asking for hash cracks from the mtgox user db since the 16th had access for at least 3 days: http://t.co/c8FEfAu"

I wonder how much damage has been done. Maybe we will find out tomorrow?

---

http://www.bitcoinconnection.com/gas_meter.jpg
Lookie Here 1MXgbEABic6Up7e3SzHrmkdQTTSRpuUAxY
http://www.bitcoinconnection.com/TradeHill.jpg (http://www.tradehill.com/?r=TH-R1960)
Get 10% discount for Life and up to 5% for referral  (http://www.tradehill.com/?r=TH-R1960)
BitcoinConnection.com for the latest news on Bitcoins (http://www.bitcoinconnection.com)

Sucks for all those that got hacked anyway. It won't get rollbacked 3 days will it? Nope.

Secure hashes cannot be cracked. You cannot login with the info being spread on Rapidshare.
The trolls are back in town...

So it was George Clooney all along. You'd think he has more money than he needs. But I guess not...

There is already a file going around with every email and plain text password.  They have ALL already been cracked.

Where's that?

Source?  I find this hard to believe.  I have only seen a file with around ~400 passwords cracked (only the few that were using unsalted md5)

Link to it please.  I'd really like to see if they got my password right.

BS
Source?
Proof?

The vast majority of unsafe passwords are certainly cracked.  Not all of them have been.  It's simply not feasible to crack mine in any reasonable length of time.

Someone PMed me my two passwords.

Both were salted, and both were long and a mix of nondict words with numbers.

I find it hard to believe they brute-forced my password, along with all the rest, as it is long and secure.
A good password should be at least 15 alphanumeric characters, which at 1 billion comparisons a seconds takes 7 million years to test all combinations. It would take a humongous amount of computing power to crack that in a few days, even if you split it up amongst tens of millions of machines.
And that's just for one 15 character length password, and each character adds 36 times the number of combinations.
If you're using non-alphanumeric characters, like @,$ etc it takes exponentially longer to crack.

The funny/scary part about this.  Until 3 days ago my mtgox password was short and easy to crack (9 characters, dict word+numbers).  I don't know why I changed it.. I just did.  This DB leak is from after that password change.  I can verify that my new password + listed salt md5'd is the hash listed.

It had to be from 56 hours ago or sooner.  I installed google chrome after the CSRF scare, and the first thing I did with it was change my password.  This was exactly 56 hours ago.

Well, a 10length password (mix alpha-num-special) @ 33.1 BPS (Billion passwords a second) will take 226 hrs on 1000 machines running my password. ALSO, to get this speed, each machine needs 4 ATI 5970's.

I think mine is safe for a while.

This simply isn't possible to have happened because of the leaked password file.  If someone found a way to reverse md5_crypt, or the quickly search the keyspace for non-trivial passwords, they would use it to make some real money, or maybe earn their PHD in mathematics.

Do you use the same passwords on any other sites?

If md5 is broke the planet would implode. heh. Yeah, I don't think anyone cracked your one-way hashed number+non-dict password. I call impossible.

I call lies.