Bitcoin Forum
April 20, 2014, 04:24:59 PM *
News: Due to the OpenSSL heartbleed bug, changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4  All
  Print  
Author Topic: ALL mtgox password has been compromised, change asap, everywhere you used it  (Read 11090 times)
kokojie
Hero Member
*****
Offline Offline

Activity: 882


tblob.org


View Profile

Ignore
June 19, 2011, 07:31:28 PM
 #1

https://rapidshare.com/#!download|359tg2|1969319443|accounts.csv|4023

All mtgox account password has been dumped in their hashed form (can be downloaded from the above link), passwords are being cracked as we speak. Change them asap, anywhere you used it.

If my post has been helpful, send me some love -> BTC: 1kokojUapmWqCqPw3Ch2rjcVh57tJEzka | PPC: PDyXAgA8eH47gokVW6zVZPSuu15aao5nZF | LTC: LRDpNJM5nkXFBDoxWRCk5hicvT7TrXQZ3c
The Big List of Bitcoin | My reputation | Free 20GB cloud storage from copy.com
1398011099
Hero Member
*
Offline Offline

Posts: 1398011099

View Profile Personal Message (Offline)

Ignore
1398011099
Reply with quote  #2

1398011099
Report to moderator
1398011099
Hero Member
*
Offline Offline

Posts: 1398011099

View Profile Personal Message (Offline)

Ignore
1398011099
Reply with quote  #2

1398011099
Report to moderator
1398011099
Hero Member
*
Offline Offline

Posts: 1398011099

View Profile Personal Message (Offline)

Ignore
1398011099
Reply with quote  #2

1398011099
Report to moderator
No Gods or Kings. Only Bitcoin
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1398011099
Hero Member
*
Offline Offline

Posts: 1398011099

View Profile Personal Message (Offline)

Ignore
1398011099
Reply with quote  #2

1398011099
Report to moderator
BioMike
Hero Member
*****
Offline Offline

Activity: 490


View Profile

Ignore
June 19, 2011, 07:35:18 PM
 #2

I wonder how they were able to get it?

SQL injection?

Advertise with Bitcoins - https://www.operationfabulous.com/
Man From The Future
Full Member
***
Offline Offline

Activity: 126


View Profile

Ignore
June 19, 2011, 07:37:24 PM
 #3

I wrote an MMOG backend with better password security than MtGox. Sad
(Two times SHA512 hashes needed to be cracked to find a user's password)

19sQD6Xncfbh72mnipuPf9ok7ESwDNxuvW
dooglus
Hero Member
*****
Offline Offline

Activity: 1036


firstbits: 1doog7


View Profile WWW

Ignore
June 19, 2011, 07:39:48 PM
 #4

The front page of mtgox is redirecting to something showing this now:

Quote
UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS

We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible.

It also says "One account with a lot of coins was compromised" and "Apart from this no account was compromised, and nothing was lost".  If that's true, how did everyone's password hashes end up on the Internet for public download?  Something fishy is going on.

Steve
Hero Member
*****
Offline Offline

Activity: 840



View Profile WWW

Ignore
June 19, 2011, 07:40:21 PM
 #5

I use a customized version of passwordmaker.org ...this let's me hash together one master password with various other details to generate completely unique usernames and passwords for every single online account that I have.  I sleep easy knowing that if my password on one service (like mtgox) has been compromised, that my password (or username) is not compromised on other services.  I highly recommend it (it can be a little inconvenient though).

(gasteve on IRC) Does your website accept cash? https://bitpay.com
RandyMarsh
Full Member
***
Offline Offline

Activity: 237



View Profile

Ignore
June 19, 2011, 07:42:04 PM
 #6

If this was Facebook I would not like this at all

Stan?! STAN?!?!
kokojie
Hero Member
*****
Offline Offline

Activity: 882


tblob.org


View Profile

Ignore
June 19, 2011, 07:42:52 PM
 #7

The front page of mtgox is redirecting to something showing this now:

Quote
UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS

We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible.

It also says "One account with a lot of coins was compromised" and "Apart from this no account was compromised, and nothing was lost".  If that's true, how did everyone's password hashes end up on the Internet for public download?  Something fishy is going on.

One have to be an idiot to believe that statement, someone has 500k+ btc just sitting in their mtgox account? lol

If my post has been helpful, send me some love -> BTC: 1kokojUapmWqCqPw3Ch2rjcVh57tJEzka | PPC: PDyXAgA8eH47gokVW6zVZPSuu15aao5nZF | LTC: LRDpNJM5nkXFBDoxWRCk5hicvT7TrXQZ3c
The Big List of Bitcoin | My reputation | Free 20GB cloud storage from copy.com
drknark
Newbie
*
Offline Offline

Activity: 28


View Profile

Ignore
June 19, 2011, 07:43:06 PM
 #8

Man from the future, you seem to know this stuff. How hard would it be for people to bruteforce or crack a reasonably strong password with the encryption in the MtGox file? Say 10 characters alphanumeric.
kokojie
Hero Member
*****
Offline Offline

Activity: 882


tblob.org


View Profile

Ignore
June 19, 2011, 07:46:45 PM
 #9

Man from the future, you seem to know this stuff. How hard would it be for people to bruteforce or crack a reasonably strong password with the encryption in the MtGox file? Say 10 characters alphanumeric.

If the hacker also got their hand on the mtgox sourcecode, it's pretty trivial to crack, probably 5-10 accounts per hour depending on password strength.

If my post has been helpful, send me some love -> BTC: 1kokojUapmWqCqPw3Ch2rjcVh57tJEzka | PPC: PDyXAgA8eH47gokVW6zVZPSuu15aao5nZF | LTC: LRDpNJM5nkXFBDoxWRCk5hicvT7TrXQZ3c
The Big List of Bitcoin | My reputation | Free 20GB cloud storage from copy.com
bullox
Member
**
Offline Offline

Activity: 98


View Profile

Ignore
June 19, 2011, 07:53:07 PM
 #10

lol wow that password hash is just begging to be cracked.   That kind of length of total output hash is like the luggage lock of electronic security...  Even salted sufficiently that is just not adequate.

I would like to echo the previous poster who said they have stronger encryption in a game they develop...

1mNotIntoTheWholeBeggingThing02hd3us23nB372b
bcearl
Member
**
Offline Offline

Activity: 98


Misspelling protects against dictionry attacks NOT


View Profile

Ignore
June 19, 2011, 07:53:18 PM
 #11

Everybody with password lengths of less than 8 characters are totally screwed now.

Change your passwords everywhere as soon as you can!

bittrader
Jr. Member
*
Offline Offline

Activity: 42



View Profile

Ignore
June 19, 2011, 07:53:35 PM
 #12

I waited through the crappy Rapidshare wait time and finally downloaded the file.

I can confirm that my Mt. Gox username and password are here! This is real.
kinghajj
Member
**
Offline Offline

Activity: 66


View Profile

Ignore
June 19, 2011, 07:56:54 PM
 #13

If the salt hasn't been compromised, then the passwords should be safe, no?
NielDLR
Member
**
Offline Offline

Activity: 95



View Profile WWW

Ignore
June 19, 2011, 07:58:07 PM
 #14

Argh, fuck everything about this. Really MtGox? Really? You aren't playing nice. Also hacker who did this? Screw you too. #superbummed

The Cypherfunks - A decentralized band and cryptocurrency. The first cryptocollective.
markus1000
Member
**
Offline Offline

Activity: 98


View Profile

Ignore
June 19, 2011, 07:58:45 PM
 #15

mmh how can i login and change my password, i only see the login to the support section

kokojie
Hero Member
*****
Offline Offline

Activity: 882


tblob.org


View Profile

Ignore
June 19, 2011, 08:01:32 PM
 #16

If the salt hasn't been compromised, then the passwords should be safe, no?

No, absolutely not. I have already seen cracked mtgox passwords being shared in the IRC channels. Do not take a chance, change them as soon as possible, everywhere you used it.

If my post has been helpful, send me some love -> BTC: 1kokojUapmWqCqPw3Ch2rjcVh57tJEzka | PPC: PDyXAgA8eH47gokVW6zVZPSuu15aao5nZF | LTC: LRDpNJM5nkXFBDoxWRCk5hicvT7TrXQZ3c
The Big List of Bitcoin | My reputation | Free 20GB cloud storage from copy.com
Durr
Newbie
*
Offline Offline

Activity: 28


View Profile

Ignore
June 19, 2011, 08:03:05 PM
 #17

This explains all the recent vague topics about 'my MtGox account got hacked'. The hacker went through each of them, and when he found one that had 500k bitcoins.. well you know what happened.

Help this puppy survive: http://larrycorreia.files.wordpress.com/2011/06/mr-snuggles.jpg

Donate to 1Gvzk3L3oLjeK5m6y4B82kFvLEZbqQnUWs
Bit_Happy
Hero Member
*****
Online Online

Activity: 518


A Great Time to Start Something!


View Profile

Ignore
June 19, 2011, 08:03:36 PM
 #18

This still might be a phony spreedsheet.
Let's see some real proof now!


I waited through the crappy Rapidshare wait time and finally downloaded the file.

I can confirm that my Mt. Gox username and password are here! This is real.

But I'm not sure you are telling the truth (no offense)
I want real proof, please send me an email, same username as this forum.
I'm waiting for real proof, now....

Edit:
Now I have real proof, thank you.

♔ PrimeDice : The Premier Bitcoin Gambling Experience @PrimeDice
Tips/Sharing  BTC = 15DYJpWJe9H1YofsNQbP9JEWWNn7XPZgbS  |  LTC:  LTgZUWRqFf9DVADQTbPVEW3BxQUku5uF99
drknark
Newbie
*
Offline Offline

Activity: 28


View Profile

Ignore
June 19, 2011, 08:05:37 PM
 #19

Bit_Happy, if you had an account on MtGox you could easily verify it. My account was on there. Edit: not same username as here.

Thanks guys for the info on the strength of the encryption.
piuk
Hero Member
*****
Offline Offline

Activity: 910



View Profile WWW

Ignore
June 19, 2011, 08:09:53 PM
 #20

It's not entirely clear if the attacker got access to the Mt.Gox source code, but at the moment it's probably safer to assume the salt was compromised as well.

Pages: [1] 2 3 4  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!