Hacked BitcoinTalk Data Finally Surfaces On Dark Net

[Wind_FURY]

This just out in the news. What are the implications of this as a regular user of BCT? Should we be worried about this?

http://themerkle.com/hacked-bitcointalk-user-data-finally-surfaces-on-dark-net/

"Just a few days ago, the data stolen from the BitcoinTalk.org hack in 2015 was posted for sale on dark net. A hacker going by DoubleFlag, is selling BitcoinTalk.org’s database. The same hacker is said to be responsible for the 68 million emails and hashed passwords from Dropbox that went for sale on dark net not too long ago.

BitcoinTalk.org was originally hacked in May of 2015, but the data wasn’t posted until a few days ago. DoubleFlag seems to have been the first one able to get his hands on it, and no one after him for that matter. The stolen data was only accessible by using data breach notification sites like Hacked-DB and LeakedSource."

[1715280852]

1715280852

[1715280852]

1715280852

[1715280852]

1715280852

[1715280852]

1715280852

[1715280852]

1715280852

[mjsbuddha]

'To break it down, there are 469,540 passwords that have been encrypted with SHA-256, and 44,868 passwords encrypted wit SMF encryption.'

Incorrect.

[Mumbeeptind1963]

This just out in the news. What are the implications of this as a regular user of BCT? Should we be worried about this?

http://themerkle.com/hacked-bitcointalk-user-data-finally-surfaces-on-dark-net/

"Just a few days ago, the data stolen from the BitcoinTalk.org hack in 2015 was posted for sale on dark net. A hacker going by DoubleFlag, is selling BitcoinTalk.org’s database. The same hacker is said to be responsible for the 68 million emails and hashed passwords from Dropbox that went for sale on dark net not too long ago.

BitcoinTalk.org was originally hacked in May of 2015, but the data wasn’t posted until a few days ago. DoubleFlag seems to have been the first one able to get his hands on it, and no one after him for that matter. The stolen data was only accessible by using data breach notification sites like Hacked-DB and LeakedSource."

Oh no, I think if they sell it, It cause big in bitcoin community because many earners are earning here in bitcointalk by services like selling their accounts, by joining signature camapaign and many more. What is the action of theymos now? And What should we do now have accounts in bitcointalk?

[mjsbuddha]

This just out in the news. What are the implications of this as a regular user of BCT? Should we be worried about this?

http://themerkle.com/hacked-bitcointalk-user-data-finally-surfaces-on-dark-net/

"Just a few days ago, the data stolen from the BitcoinTalk.org hack in 2015 was posted for sale on dark net. A hacker going by DoubleFlag, is selling BitcoinTalk.org’s database. The same hacker is said to be responsible for the 68 million emails and hashed passwords from Dropbox that went for sale on dark net not too long ago.

BitcoinTalk.org was originally hacked in May of 2015, but the data wasn’t posted until a few days ago. DoubleFlag seems to have been the first one able to get his hands on it, and no one after him for that matter. The stolen data was only accessible by using data breach notification sites like Hacked-DB and LeakedSource."

Oh no, I think if they sell it, It cause big in bitcoin community because many earners are earning here in bitcointalk by services like selling their accounts, by joining signature camapaign and many more. What is the action of theymos now? And What should we do now have accounts in bitcointalk?

99% of the users are safe. (Not 99. But a lot.) The passwords were encrypted with 5 rounds & used strong encryption algorithms. Many passwords will never be cracked or aren't worth the time to crack.

[Edwardard]

if you follow these steps, then the chances of getting hacked will be minimal.
1. better change your password regularly and there should not be any problem.
2. dont click on any links. do a quick search about it on google before visiting any unknown site.
3. dont download any files without knowing about it.
4. always keep your password long and use a combination of both capital and small letters.
5. never use the same password everywhere.

Oh no, I think if they sell it, It cause big in bitcoin community because many earners are earning here in bitcointalk by services like selling their accounts, by joining signature camapaign and many more. What is the action of theymos now? And What should we do now have accounts in bitcointalk?

change the password. lol.

[mjsbuddha]

Here's the typical encrypted Bitcointalk user password.

$5$rounds=7500$uxETNKYBd49f1XZT$GqmY9SIrgeXwNI/QmhhkYKpznDrFPENk2uvCwBrnsLA

98% of the users here will not know what the hell that is, nor will they know how to use it efficiently. And the time to crack one doesn't meet the reason to do it.

[TraderETH]

If it is true so it is time for all of members bitcointalk to change password with strong password using mixture caracter are like P4$$W00oD#, although we can get problem for remember it.  

[markisanon2434]

Here's the typical encrypted Bitcointalk user password.

$5$rounds=7500$uxETNKYBd49f1XZT$GqmY9SIrgeXwNI/QmhhkYKpznDrFPENk2uvCwBrnsLA

98% of the users here will not know what the hell that is, nor will they know how to use it efficiently. And the time to crack one doesn't meet the reason to do it.

That should mean people shouldn't be worried about the hack. Great! 
Hope we won't face any issues like this in future.

[Yakamoto]

Here's the typical encrypted Bitcointalk user password.

$5$rounds=7500$uxETNKYBd49f1XZT$GqmY9SIrgeXwNI/QmhhkYKpznDrFPENk2uvCwBrnsLA

98% of the users here will not know what the hell that is, nor will they know how to use it efficiently. And the time to crack one doesn't meet the reason to do it.

Exactly. While the data exists and there are some people who would be willing to take advantage of it, the cracking time for a majority of people is just too long for it to be worth it to get into a lot of user's accounts, however for some people they might just want to get into someone's account enough that they'll take the time.

I'll probably be changing up my password, it's about time anyways.

[mjsbuddha]

Doesn't necessarily mean you're safe. I have billions of database entries in my possession. So let's say, I get your username and search it up on the Bitcointalk database.

Username leads to your email.

I grep that email within all my entries, and any average person will have most likely signed up on another site that was hacked so I will usually find someone's password in a soft password encryption algorithm or in plaintext.

This is where not using your password more than once in the same place comes in handy.

[Robert_A]

Let me just say that the encryption algorithm could've been stronger. For example, bcrypt or something like what Wordpress implements. Now THOSE are some tough hashes to crack. Hell, even cracking the password "123411" with a bcrypt hash would take up too many resources for the average person.

This leak however contained two different algorithms from what I'm aware. SHA1 & something that looks like this.

Password: $5$rounds=7500$bOzfMJtV+ltz8dF+$jeWxjkMFW8Dv389us5iJ5KSBmb8wjkZOhns4UGeMpp.

A SHA1 hash is just 64 characters of numbers and letters. They are much easier to crack. However, the algorithm in this case doesn't matter if you had an easy password such as 1-10 numbers, a bunch of letters, or if your password was in a wordlist.

Password: $5$rounds=7500$bOzfMJtV+ltz8dF+$jeWxjkMFW8Dv389us5iJ5KSBmb8wjkZOhns4UGeMpp
Once you crack that (took me a few seconds) you'll get this as the plaintext password.
'22362236'

$5$rounds=7500$bOzfMJtV+ltz8dF+$jeWxjkMFW8Dv389us5iJ5KSBmb8wjkZOhns4UGeMpp:22362236

And the fact that many of you are probably in other database leaks and use the same password makes it even easier for someone to compromise your account. Good thing for you guys is that no one gives a shit about Bitcointalk accounts so you're all probably safe for now.

[posi]

Something must be done to put an end this hacking things going around the corner.

[Kakmakr]

I change my password every other week, so in theory a hack would not affect me, if my data were compromised. What benefit will these people have from hacking these accounts? We would just show the proof that we own the account and then get it back and change the password again. ^hmmm^

[CraigWrightBTC]

It is bad if there are people who buy bitcointalk data, he will get data of email who used for making account on here. And it will become more bad if he can get access to the email.

[theymos]

I sent out a mass email about this right after the leak in 2015. People really should've changed their passwords then. This database has been floating around since then, so if you didn't change your password already and your password is sufficiently weak, then there's a good chance that your account would've already been compromised.

Let me just say that the encryption algorithm could've been stronger. For example, bcrypt or something like what Wordpress implements. Now THOSE are some tough hashes to crack.

That's a common misconception. There is no functional difference between bcrypt and sha256crypt, except that sha256crypt uses the industry-standard SHA-256 hash function while bcrypt uses a hash function based on the deprecated and obscure Blowfish encryption algorithm.

PHP uses a default bcrypt cost of 10, which is roughly similar to sha256crypt with rounds=1024. Python uses a default cost of 12, which is roughly similar to sha256crypt with rounds=4096. The forum uses sha256crypt with rounds=7500. The forum's hashes, while not uncrackable given weak passwords, are far stronger than those used by almost every other site.

[JeffBrad12]

This just out in the news. What are the implications of this as a regular user of BCT? Should we be worried about this?

http://themerkle.com/hacked-bitcointalk-user-data-finally-surfaces-on-dark-net/

"Just a few days ago, the data stolen from the BitcoinTalk.org hack in 2015 was posted for sale on dark net. A hacker going by DoubleFlag, is selling BitcoinTalk.org’s database. The same hacker is said to be responsible for the 68 million emails and hashed passwords from Dropbox that went for sale on dark net not too long ago.

BitcoinTalk.org was originally hacked in May of 2015, but the data wasn’t posted until a few days ago. DoubleFlag seems to have been the first one able to get his hands on it, and no one after him for that matter. The stolen data was only accessible by using data breach notification sites like Hacked-DB and LeakedSource."

Oh no, I think if they sell it, It cause big in bitcoin community because many earners are earning here in bitcointalk by services like selling their accounts, by joining signature camapaign and many more. What is the action of theymos now? And What should we do now have accounts in bitcointalk?

99% of the users are safe. (Not 99. But a lot.) The passwords were encrypted with 5 rounds & used strong encryption algorithms. Many passwords will never be cracked or aren't worth the time to crack.

The Quantum computing  ,
Well, the question is why the hacker is just releasing the data a few days ago? Is anyone know the reason? considering from your explanation I think that is safe at this time.

[Robert_A]

The forum's hashes, while not uncrackable given weak passwords, are far stronger than those used by almost every other site.

I guess I'd agree with that. I think that one extra step of security would be to have implemented a custom salt for every users password which would increase the difficulty of increasing the passwords.
Also, from StackOverflow:

Bcrypt really shines for online attacks, if you have set the work factor properly, because even if I get the hash, meant to say if the 'adversary' gets the hash, the work factor makes it really painful to go through an entire dictionary, taking multiple days and if the password isn't in the dictionary, then I'm really in trouble cause a brute force attack will be epic, the password bit space for bcrypt is quite large though finite

Sha256 may be taking a bit of time now, but eventually computers will get faster and faster and it'll be fairly easy for attacks, the unix guys thought crypt was so slow it would have never being an issue, and today I have done an online attack in seconds, offline attack in days, a brute force attack (going through the entire password bit space) in weeks ...

The forum uses sha256crypt with rounds=7500

Not all of the passwords in the database leak had that encryption :p

At the end of the day, you could implement the strongest algorithm but if users are stupid enough to use their password more than once and even worse, on a site that stores passwords with in plaintext or in a weak algorithm like message digest 5 (MD5), they deserve to be hacked. Like honestly how hard is it to use a different password by even changing 1-2 parts of your password.

[ivanst776]

Here's the typical encrypted Bitcointalk user password.

$5$rounds=7500$uxETNKYBd49f1XZT$GqmY9SIrgeXwNI/QmhhkYKpznDrFPENk2uvCwBrnsLA

98% of the users here will not know what the hell that is, nor will they know how to use it efficiently. And the time to crack one doesn't meet the reason to do it.

I wouldn't be so sure about your last statement, if they don't know what an encrypted password is they could search in google.

And as Robert_A says it takes only few seconds to decrypt a password so it's not difficult to get the password in the 'plain text'

The price of 1BTC seems very cheap to me, for the hacker is needed only one or two legendary accounts to hack and reach the ROI very fast(badly).

[mjsbuddha]

Here's the typical encrypted Bitcointalk user password.

$5$rounds=7500$uxETNKYBd49f1XZT$GqmY9SIrgeXwNI/QmhhkYKpznDrFPENk2uvCwBrnsLA

98% of the users here will not know what the hell that is, nor will they know how to use it efficiently. And the time to crack one doesn't meet the reason to do it.

I wouldn't be so sure about your last statement, if they don't know what an encrypted password is they could search in google.

And as Robert_A says it takes only few seconds to decrypt a password so it's not difficult to get the password in the 'plain text'

The price of 1BTC seems very cheap to me, for the hacker is needed only one or two legendary accounts to hack and reach the ROI very fast(badly).

He said a few seconds to decrypt a password that has NUMBERS in it only. Those are easy to crack because it's not hard to go through every possible number combination between 1-10 digits. Also, it's not easy to reach ROI now as people are very sceptical when it comes to dealing with people, even legendary accounts. Of course, if you plan it out and get a big scam all ready to go then bad luck to everyone else.

[doublemore]

I think someone got one of my emails at some point but it could also be via mtgox leak.  I had a few random log in attempts with 1 successful to a shitty twitter account i dont use.  All passwords have been changed and i 2FA everything i can.