Bitcoin Forum
December 05, 2016, 02:37:43 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Mt. Gox Hack claims  (Read 8463 times)
itsagas
Jr. Member
*
Offline Offline

Activity: 59


View Profile
June 19, 2011, 08:06:01 AM
 #1

This is not me, just came across it on hacker news and thought we should know here.


"
I have hacked into mtgox database. Got a huge number of logins password combos.
Mtgox has fixed the problem now. Too late, cause I've already got the data.
 
Will sell the database for the right price.
Send your offers to:
xxxxxxx@hotmail.com
"

http://news.ycombinator.com/item?id=2670302
http://pastebin.com/ui0nusuZ
1480948663
Hero Member
*
Offline Offline

Posts: 1480948663

View Profile Personal Message (Offline)

Ignore
1480948663
Reply with quote  #2

1480948663
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480948663
Hero Member
*
Offline Offline

Posts: 1480948663

View Profile Personal Message (Offline)

Ignore
1480948663
Reply with quote  #2

1480948663
Report to moderator
tito13kfm
Jr. Member
*
Offline Offline

Activity: 42



View Profile
June 19, 2011, 08:07:57 AM
 #2

All great hackers use hotmail

iCEBREAKER
Legendary
*
Offline Offline

Activity: 1498


Crypto is the separation of Power and State.


View Profile WWW
June 19, 2011, 09:06:29 AM
 #3

This is not me, just came across it on hacker news and thought we should know here.


"
I have hacked into mtgox database. Got a huge number of logins password combos.
Mtgox has fixed the problem now. Too late, cause I've already got the data.
 
Will sell the database for the right price.
Send your offers to:
xxxxxxx@hotmail.com
"

http://news.ycombinator.com/item?id=2670302
http://pastebin.com/ui0nusuZ

OMG, I want it!  Where do I send my bitt-muneez?

*changes mtgox pw*

The difference between bad and well-developed digital cash will determine whether we have a dictatorship or a real democracy.  David Chaum 1996
Fungibility provides privacy as a side effect.  Adam Back 2014
"Monero" : { Private - Auditable - 100% Fungible - Flexible Blocksize - Wild & Free® - Intro - Wallets - Podcats - Roadmap - Dice - Blackjack - Github - Android }


Bitcoin is intentionally designed to be ungovernable and governance-free.  luke-jr 2016
Blocks must necessarily be full for the Bitcoin network to be able to pay for its own security.  davout 2015
Blocksize is an intentionally limited resource, like the 21e6 BTC limit.  Changing it degrades the surrounding economics, creating negative incentives.  Jeff Garzik 2013


"I believed @Dashpay instamine was a bug & not a feature but then read: https://bitcointalk.org/index.php?topic=421615.msg13017231#msg13017231
I'm not against people making money, but can't support questionable origins."
https://twitter.com/Tone_LLT/status/717822927908024320


The raison d'être of bitcoin is trustlessness. - Eric Lombrozo 2015
It is an Engineering Requirement that Bitcoin be “Above the Law”  Paul Sztorc 2015
Resiliency, not efficiency, is the paramount goal of decentralized, non-state sanctioned currency -Jon Matonis 2015

Bitcoin is intentionally designed to be ungovernable and governance-free.  luke-jr 2016

Technology tends to move in the direction of making surveillance easier, and the ability of computers to track us doubles every eighteen months. - Phil Zimmerman 2013

The only way to make software secure, reliable, and fast is to make it small. Fight Features. - Andy Tanenbaum 2004

"Hard forks cannot be co
bitrebel
Sr. Member
****
Offline Offline

Activity: 364


View Profile
June 19, 2011, 09:20:56 AM
 #4

I don't buy it...
and even if I did buy it.....
and I certainly wouldn't pay for it in bitcoins!


Why does Bitrebel have 65+ Ignores?
Because Bitrebel says things that some people do not want YOU to hear.
killer2021
Member
**
Offline Offline

Activity: 84


View Profile
June 19, 2011, 09:25:56 AM
 #5

regardless, I would change password. Just in case. Takes 1 minute.

Anonymous Cash-By-Mail Exchange: https://www.bitcoin2cash.com
1H6mqgB6UcqKt2SrCmhjxUp9np1Xrbkdj7
triforcelink
Member
**
Offline Offline

Activity: 112



View Profile
June 19, 2011, 09:36:45 AM
 #6

Seems appropriate http://forum.bitcoin.org/index.php?topic=19360.0

Isn't it that even if they did manage to get a copy of the user database they would only find the password hashes and not the actual passwords? So if you had a secure password, there is probably nothing to worry about.

moeman
Newbie
*
Offline Offline

Activity: 10


View Profile
June 19, 2011, 09:53:06 AM
 #7

I had all the bitcoin I own taken from my account, around 12BTC. I think it may have been a brute-force attack.

I'm a 15 year old student.

I'd love a few donations to get me started:) 1BSwspXjreLxbmehqPZYdPntCYMVxp8dsU
MeSarah
Full Member
***
Offline Offline

Activity: 154


View Profile
June 19, 2011, 09:56:15 AM
 #8

Yeah I would suggest changiing the password too. But I think the mtgox would use multi-round hashing to protect stupid people that use 'password' as a password.

I fear nothing! Say it. I fear nothing!

60 GH/s BFL Single SC - Pre-Order Yours Today!
`````` Only $1299.99 - butterflylabs.com ``````
triforcelink
Member
**
Offline Offline

Activity: 112



View Profile
June 19, 2011, 09:57:58 AM
 #9

I had all the bitcoin I own taken from my account, around 12BTC. I think it may have been a brute-force attack.
how strong was your password?

Noise
Newbie
*
Offline Offline

Activity: 24



View Profile
June 19, 2011, 10:10:15 AM
 #10

If you're using dictionary words - even if there's numbers & capital letters, there's a high chance your password will be found. Hybrid dictionary attacks process a shit ton of passwords/second regardless of how complex the md5 & salt equation is.
MeSarah
Full Member
***
Offline Offline

Activity: 154


View Profile
June 19, 2011, 10:35:00 AM
 #11

Multi-round hashing is just a simple loop. For example:

$password = 'shortcut' .$salt;
for($counter=0; $counter < $round; $counter++) {
     $hash = md5($password);
     $password = $hash;
}

60 GH/s BFL Single SC - Pre-Order Yours Today!
`````` Only $1299.99 - butterflylabs.com ``````
hoo2jalu
Member
**
Offline Offline

Activity: 70



View Profile
June 19, 2011, 10:36:21 AM
 #12

... I think it may have been a brute-force attack.

Unlikely unless you're sloppy.

To prove the point, 10 bitcoin for each pass for any of these unsalted MD5s:

824cfad07c88261afb4dd3285627887a
73550477b12849b2a4dcd3b0db187415
3e567bcbb2aa5c28c47012b857bf6e48
3709fb6b0e1c0b26ff22a19ae92fd080
9133c451dd761d29943dcc653252e2fa
ff111d6144367b4abd99aa4321b0a618
8602188ef5a05a13afc59c51b395426c
da842aa7c84236d17a04098fa1273f2d

Have fun! ;P

EDIT: alphanumeric only. I'll pay legitimate finds or my name is mud!
hlksis
Newbie
*
Offline Offline

Activity: 25


View Profile
June 19, 2011, 11:13:52 AM
 #13

Password changed. (it had been a length of 50 and will now be as well Cheesy)

To be honest I don't care if the account gets hacked since I don't have anything there. (the biggest job is to keep your wallet secure)
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700


View Profile
June 19, 2011, 03:59:26 PM
 #14

... I think it may have been a brute-force attack.

Unlikely unless you're sloppy.

To prove the point, 10 bitcoin for each pass for any of these unsalted MD5s:

824cfad07c88261afb4dd3285627887a
73550477b12849b2a4dcd3b0db187415
3e567bcbb2aa5c28c47012b857bf6e48
3709fb6b0e1c0b26ff22a19ae92fd080
9133c451dd761d29943dcc653252e2fa
ff111d6144367b4abd99aa4321b0a618
8602188ef5a05a13afc59c51b395426c
da842aa7c84236d17a04098fa1273f2d

Have fun! ;P

EDIT: alphanumeric only. I'll pay legitimate finds or my name is mud!

Challenge accepted.
Wreckus
Newbie
*
Offline Offline

Activity: 27


View Profile
June 19, 2011, 04:10:38 PM
 #15

... I think it may have been a brute-force attack.

Unlikely unless you're sloppy.

To prove the point, 10 bitcoin for each pass for any of these unsalted MD5s:

824cfad07c88261afb4dd3285627887a
73550477b12849b2a4dcd3b0db187415
3e567bcbb2aa5c28c47012b857bf6e48
3709fb6b0e1c0b26ff22a19ae92fd080
9133c451dd761d29943dcc653252e2fa
ff111d6144367b4abd99aa4321b0a618
8602188ef5a05a13afc59c51b395426c
da842aa7c84236d17a04098fa1273f2d

Have fun! ;P

EDIT: alphanumeric only. I'll pay legitimate finds or my name is mud!

Challenge accepted.

Rainbow tables exist for 10character alphanumeric... they're only ~320GB.
Twiddle
Newbie
*
Offline Offline

Activity: 11



View Profile
June 19, 2011, 04:12:25 PM
 #16

MagicalTux has already responded to these false claims via IRC:

Quote
Code:
22:31 <kardus> MagicalTux; i'm hearing places someone is selling your database, might want to look into that
22:32 <MagicalTux> [22:31:16] <kardus> MagicalTux; i'm hearing places someone is selling your database, might want to look into that <- already saw it, pure FUD (you wouldn't go far anyway, password are encrypted one way with salt)
22:32 <MagicalTux> (and of course salt is random for each user)
22:33 <fiverawr> If it's random for each user, doesn't that mean the database would also store the salt?
22:33 <MagicalTux> it does, and that's perfectly right
22:39 <lolcat> MagicalTux: And you database is leaked?
22:39 <MagicalTux> lolcat: I don't think so
22:40 <lolcat> Should I change my email adress?
22:40 <MagicalTux> lolcat: I see no reason so far, someone claiming they stole the db doesn't mean anything
22:42 <MagicalTux> none of the servers (backup or live) have any suspicious login
22:42 <lolcat> MagicalTux: They couldn't have edited the log?
22:42 <MagicalTux> lolcat: in that case, they could have just taken the bitcoins
22:43 <lolcat> Good point
22:43 <MagicalTux> or taken the access to LR
22:43 <MagicalTux> or to Dwolla
22:43 <MagicalTux> or to the EU bank
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700


View Profile
June 19, 2011, 04:17:13 PM
 #17

... I think it may have been a brute-force attack.

Unlikely unless you're sloppy.

To prove the point, 10 bitcoin for each pass for any of these unsalted MD5s:

824cfad07c88261afb4dd3285627887a
73550477b12849b2a4dcd3b0db187415
3e567bcbb2aa5c28c47012b857bf6e48
3709fb6b0e1c0b26ff22a19ae92fd080
9133c451dd761d29943dcc653252e2fa
ff111d6144367b4abd99aa4321b0a618
8602188ef5a05a13afc59c51b395426c
da842aa7c84236d17a04098fa1273f2d

Have fun! ;P

EDIT: alphanumeric only. I'll pay legitimate finds or my name is mud!

Challenge accepted.

Rainbow tables exist for 10character alphanumeric... they're only ~320GB.

Exactly my point.
finack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 19, 2011, 05:12:18 PM
 #18

MagicalTux has already responded to these false claims via IRC:

While I'd agree that it seems likely the offer of the database for sale is a fake and just intended to shake confidence in Mt. Gox given all of the other activity that's going on, MagicalTux's response doesn't instill much confidence. In fact suggesting things like salted hashes would protect the passwords and no suspicious logins found sound exactly like the kinds of reports that come in early from actual intrusion victims. Most salted hash schemes in use won't protect people with weak to crack passwords, which will be about 99% of the users, and a SQL injection compromise which is by far the most likely approach wouldn't involve OS logins. The fact that there was a recently discovered CSRF hole lends credence to the idea that there could easily have been a SQLi. And while he may be playing dumb, he doesn't sound like he has the instrumentation in place that would even necessarily allow him to discover an intrusion like that after the fact, even if he knew what to look for.

So while it's only smart for him to categorically deny any intrusion he doesn't have direct evidence of, and I'd still rate the HN post as much more likely to be fake than real, I'd still personally change my password all the same.  Tux really couldn't give you that advice unless he'd already found and closed a flaw without tanking his business.
DamienBlack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 19, 2011, 05:27:14 PM
 #19

... I think it may have been a brute-force attack.

Unlikely unless you're sloppy.

To prove the point, 10 bitcoin for each pass for any of these unsalted MD5s:

824cfad07c88261afb4dd3285627887a
73550477b12849b2a4dcd3b0db187415
3e567bcbb2aa5c28c47012b857bf6e48
3709fb6b0e1c0b26ff22a19ae92fd080
9133c451dd761d29943dcc653252e2fa
ff111d6144367b4abd99aa4321b0a618
8602188ef5a05a13afc59c51b395426c
da842aa7c84236d17a04098fa1273f2d

Have fun! ;P

EDIT: alphanumeric only. I'll pay legitimate finds or my name is mud!

Well they aren't in any rainbow tables, so they must be pretty long. Judging by the high reward on this, he probably used 15-20 characters. Enough that you might as well keep your computers mining bitcoins, it could be months even for a very powerful group of computers.

I trade bitcoin options at https://bitoption.org/ ... Join me.
I play poker at https://betco.in/ ... Join me.
Support the bitcoin economy, what do you do?
Tips: 1NfXhiTFEdKQTdLy49s6DYAP1K7MeFWyao
elggawf
Sr. Member
****
Offline Offline

Activity: 308



View Profile
June 19, 2011, 05:41:51 PM
 #20

Well they aren't in any rainbow tables, so they must be pretty long. Judging by the high reward on this, he probably used 15-20 characters. Enough that you might as well keep your computers mining bitcoins, it could be months even for a very powerful group of computers.

Rainbow tables != reverse lookup tables.

It's stupid as fuck banking on MD5 - either the plaintext for those hashes is really long and/or not actually alphanumeric, or he's going to be some 80BTC poorer in a couple weeks. If they really are <16 chars, unsalted and alphanumeric, I'd be willing to bet the 80BTC is probably worth more than what you'd spend on some Amazon EC2 instances to break it in a hurry...

It's also stupid as fuck chaining multiple rounds of MD5 together, particularly without changing the salt each time. - I believe you actually make it weaker to rainbow table attacks by doing that... but I'm absolutely no expert in cryptography by any stretch of the imagination.

Regardless, if there's any evidence at all that the DB is taken, assume the passwords are broken. Now where's the credible evidence the DB was taken?

^_^
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!