ALL mtgox password has been compromised, change asap, everywhere you used it

[kokojie]

https://rapidshare.com/#!download|359tg2|1969319443|accounts.csv|4023

All mtgox account password has been dumped in their hashed form (can be downloaded from the above link), passwords are being cracked as we speak. Change them asap, anywhere you used it.

[BioMike]

I wonder how they were able to get it?

SQL injection?

[Man From The Future]

I wrote an MMOG backend with better password security than MtGox.
(Two times SHA512 hashes needed to be cracked to find a user's password)

[dooglus]

The front page of mtgox is redirecting to something showing this now:

UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS

We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible.

It also says "One account with a lot of coins was compromised" and "Apart from this no account was compromised, and nothing was lost".  If that's true, how did everyone's password hashes end up on the Internet for public download?  Something fishy is going on.

[Steve]

I use a customized version of passwordmaker.org ...this let's me hash together one master password with various other details to generate completely unique usernames and passwords for every single online account that I have.  I sleep easy knowing that if my password on one service (like mtgox) has been compromised, that my password (or username) is not compromised on other services.  I highly recommend it (it can be a little inconvenient though).

[RandyMarsh]

If this was Facebook I would not like this at all

[kokojie]

The front page of mtgox is redirecting to something showing this now:

UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS

We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible.

It also says "One account with a lot of coins was compromised" and "Apart from this no account was compromised, and nothing was lost".  If that's true, how did everyone's password hashes end up on the Internet for public download?  Something fishy is going on.

One have to be an idiot to believe that statement, someone has 500k+ btc just sitting in their mtgox account? lol

[drknark]

Man from the future, you seem to know this stuff. How hard would it be for people to bruteforce or crack a reasonably strong password with the encryption in the MtGox file? Say 10 characters alphanumeric.

[kokojie]

Man from the future, you seem to know this stuff. How hard would it be for people to bruteforce or crack a reasonably strong password with the encryption in the MtGox file? Say 10 characters alphanumeric.

If the hacker also got their hand on the mtgox sourcecode, it's pretty trivial to crack, probably 5-10 accounts per hour depending on password strength.

[bullox]

lol wow that password hash is just begging to be cracked.   That kind of length of total output hash is like the luggage lock of electronic security...  Even salted sufficiently that is just not adequate.

I would like to echo the previous poster who said they have stronger encryption in a game they develop...

[bcearl]

Everybody with password lengths of less than 8 characters are totally screwed now.

Change your passwords everywhere as soon as you can!

[bittrader]

I waited through the crappy Rapidshare wait time and finally downloaded the file.

I can confirm that my Mt. Gox username and password are here! This is real.

[kinghajj]

If the salt hasn't been compromised, then the passwords should be safe, no?

[NielDLR]

Argh, fuck everything about this. Really MtGox? Really? You aren't playing nice. Also hacker who did this? Screw you too. #superbummed

[markus1000]

mmh how can i login and change my password, i only see the login to the support section

[kokojie]

If the salt hasn't been compromised, then the passwords should be safe, no?

No, absolutely not. I have already seen cracked mtgox passwords being shared in the IRC channels. Do not take a chance, change them as soon as possible, everywhere you used it.

[Durr]

This explains all the recent vague topics about 'my MtGox account got hacked'. The hacker went through each of them, and when he found one that had 500k bitcoins.. well you know what happened.

[Bit_Happy]

This still might be a phony spreedsheet.
Let's see some real proof now!

I waited through the crappy Rapidshare wait time and finally downloaded the file.

I can confirm that my Mt. Gox username and password are here! This is real.

But I'm not sure you are telling the truth (no offense)
I want real proof, please send me an email, same username as this forum.
I'm waiting for real proof, now....

Edit:
Now I have real proof, thank you.

[drknark]

Bit_Happy, if you had an account on MtGox you could easily verify it. My account was on there. Edit: not same username as here.

Thanks guys for the info on the strength of the encryption.

[piuk]

It's not entirely clear if the attacker got access to the Mt.Gox source code, but at the moment it's probably safer to assume the salt was compromised as well.