Bitcoin Forum
December 03, 2016, 01:53:18 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3] 4 »  All
  Print  
Author Topic: ALL mtgox password has been compromised, change asap, everywhere you used it  (Read 16669 times)
piuk
Hero Member
*****
Offline Offline

Activity: 910



View Profile WWW
June 19, 2011, 09:06:27 PM
 #41

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.

1480773198
Hero Member
*
Offline Offline

Posts: 1480773198

View Profile Personal Message (Offline)

Ignore
1480773198
Reply with quote  #2

1480773198
Report to moderator
1480773198
Hero Member
*
Offline Offline

Posts: 1480773198

View Profile Personal Message (Offline)

Ignore
1480773198
Reply with quote  #2

1480773198
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480773198
Hero Member
*
Offline Offline

Posts: 1480773198

View Profile Personal Message (Offline)

Ignore
1480773198
Reply with quote  #2

1480773198
Report to moderator
1480773198
Hero Member
*
Offline Offline

Posts: 1480773198

View Profile Personal Message (Offline)

Ignore
1480773198
Reply with quote  #2

1480773198
Report to moderator
1480773198
Hero Member
*
Offline Offline

Posts: 1480773198

View Profile Personal Message (Offline)

Ignore
1480773198
Reply with quote  #2

1480773198
Report to moderator
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 19, 2011, 09:08:19 PM
 #42

If the salt hasn't been compromised, then the passwords should be safe, no?

That sentence doesn't make sense at all.

Misspelling protects against dictionary attacks NOT
chihlidog
Newbie
*
Offline Offline

Activity: 28


View Profile
June 19, 2011, 09:14:41 PM
 #43

OK, somehow I am on that list. I remember considering signing up for mtgox, but never fully went through with it, and they didnt recognize my email when I tried to use the reset password form, I got the "that email isnt registered here" message. However, I DID get an email from them just a few minutes ago. And my email is on that list. It doenst make sense to me.

I use long passwords, and several different ones for the sites I frequent, and Ive gone and changed most of them, but now Im really paranoid.

Im not sure why anyone would want to, but just in case, I humbly and very gratefully accept donations at: 1Kn6NFFE4EqrhN1pgBDoBQEvSA5c3tdqhi
bullox
Member
**
Offline Offline

Activity: 112


View Profile
June 19, 2011, 09:23:53 PM
 #44

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.
jesus christ look at those terrible passwords.....
phelix
Legendary
*
Offline Offline

Activity: 1680


nmc:id/phelix


View Profile
June 19, 2011, 09:27:12 PM
 #45

Someone with a network should email everyone on the list and let them know.
+1

Issue is you'd probably en dup on spam blacklists. Sad
nowadays you can't even send a sixty thousand emails any more...

blockchained.com ■ bitcointalk top posts
Man From The Future
Full Member
***
Offline Offline

Activity: 126


View Profile
June 19, 2011, 09:30:57 PM
 #46

Someone with a network should email everyone on the list and let them know.
+1

Issue is you'd probably en dup on spam blacklists. Sad
nowadays you can't even send a sixty thousand emails any more...
I've had too many issues to want to risk it, if you're being sarcastic.

I don't want my VPS blocked from emails, it needs to do ones for the services on it! Tongue
kokojie
Legendary
*
Offline Offline

Activity: 1498



View Profile WWW
June 19, 2011, 09:32:34 PM
 #47

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.

ZOMG!

testt, letmein, phildick, nandgate, football, spotty...

REALLY PEOPLE???

and a ton of people used "bitcoin" as their password, lol

If my post has been helpful, send me some love -> BTC: 1kokojUapmWqCqPw3Ch2rjcVh57tJEzka | PPC: PDyXAgA8eH47gokVW6zVZPSuu15aao5nZF | Bitshares: kokojie
My reputation
dmiii
Newbie
*
Offline Offline

Activity: 14

Alice (wondering)


View Profile
June 19, 2011, 09:37:37 PM
 #48

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.
So, MtGox does not us salt... It's really bad. The only good thing they can do is to reset all passwords and revalidate accounts through emails. But in case of passwords that match email ones situation becomes even worse...

1B1tBpNEeKztTtQ2HUB2PUYcv5taBXctSX
dust
Hero Member
*****
Offline Offline

Activity: 840



View Profile WWW
June 19, 2011, 09:41:31 PM
 #49

Can anyone see a flaw in this plan? (besides not working for accounts with no email):

1.  All accounts are locked and no one is allowed to log in after mtgox comes back online
2.  An email is sent to account owners with a password reset link
3.  Users can then log into mtgox with no chance of attackers logging in first.

In the meantime:
1.  Change you password ASAP if you used your mtgox password somewhere else.

Also, I saw this on 4chan /g/

Quote
I'm currently cracking.

At the rate I'm going, I should have 3,000 accounts by next week.

I doubt everyone will change there passwords. Aslong as I get there first, I should be able to get a few coins.

I'm glad i used a strong password...

Cryptocoin Mining Info | OTC | PGP | Twitter | freenode: dust-otc | BTC: 1F6fV4U2xnpAuKtmQD6BWpK3EuRosKzF8U
Yeti
Member
**
Offline Offline

Activity: 112

Firstbits: 1yetiax


View Profile
June 19, 2011, 09:43:12 PM
 #50

We don't know which accounts were really used. For example, do you really think "testuser" has a lot of BTC floating around? I would love to know the account balance to each of these now compromised accounts.

A great lesson in web security!

So, MtGox does not us salt... It's really bad. The only good thing they can do is to reset all passwords and revalidate accounts through emails. But in case of passwords that match email ones situation becomes even worse...

No, that list is a list of cracked passwords that were salted but were so stupidly easy that they got bruteforced in no time!

1YetiaXeuRzX9QJoQNUW84oX2EiXnHgp3 or http://payb.tc/yeti

Since Bitcoin Randomizer is dead, join the Bitcoin Pyramid (referrer id #203)! Be quick, be on top! Instant payout as soon as one of your referrals deposits!
nemo
Sr. Member
****
Offline Offline

Activity: 434


View Profile
June 19, 2011, 09:45:20 PM
 #51

Fuck. This is legit. 5 minutes after reading the email from MTGox saying they got hacked, They logged into my email and I had to text myself a special code just to get back in and change my password. MTGox needs to fucking burn hard for this. I'm changing everything, they're going to get you too if you don't.
Surtur
Newbie
*
Offline Offline

Activity: 15


View Profile
June 19, 2011, 09:48:34 PM
 #52

Someone with a network should email everyone on the list and let them know.

I already got an email from mt.gox regarding the hack - so please, do not mail the whole list Wink
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
June 19, 2011, 09:49:00 PM
 #53

No, the vast majority of the passwords were done properly with md5_crypt().  They will probably never be cracked in any serious number.

The few that have been cracked were all passwords stored using the old unsalted DES based crypt().  Everyone knew that the old school crypt() was unsafe, which was the whole reason for switching to salted md5_crypt().

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 19, 2011, 09:50:16 PM
 #54

Quote

Ukrainian government - ROTFL

Misspelling protects against dictionary attacks NOT
malditonuke
Full Member
***
Offline Offline

Activity: 145


View Profile
June 19, 2011, 09:53:01 PM
 #55

possibly unrelated, but the email account i had associated with mtgox just got locked up.

it looks like someone was trying to access it.
chihlidog
Newbie
*
Offline Offline

Activity: 28


View Profile
June 19, 2011, 09:53:31 PM
 #56

No, the vast majority of the passwords were done properly with md5_crypt().  They will probably never be cracked in any serious number.

The few that have been cracked were all passwords stored using the old unsalted DES based crypt().  Everyone knew that the old school crypt() was unsafe, which was the whole reason for switching to salted md5_crypt().

Could you explain to a layman how we can tell the difference? Looking at the string next my email I'd like to feel a little more secure if I know it was a more secure encryption.

Im not sure why anyone would want to, but just in case, I humbly and very gratefully accept donations at: 1Kn6NFFE4EqrhN1pgBDoBQEvSA5c3tdqhi
nemo
Sr. Member
****
Offline Offline

Activity: 434


View Profile
June 19, 2011, 09:54:02 PM
 #57

possibly unrelated, but the email account i had associated with mtgox just got locked up.

it looks like someone was trying to access it.

What are the odds that it would happen to the both of us (MTGox users) at the same time?
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 19, 2011, 09:54:31 PM
 #58

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.
So, MtGox does not us salt... It's really bad. The only good thing they can do is to reset all passwords and revalidate accounts through emails. But in case of passwords that match email ones situation becomes even worse...

Salt does not help weak passwords.

Misspelling protects against dictionary attacks NOT
malditonuke
Full Member
***
Offline Offline

Activity: 145


View Profile
June 19, 2011, 10:01:31 PM
 #59

I have already received notification of unusual activity on my email account. The list is being worked...

I pity anyone who used the same password.   Sad
aop
Jr. Member
*
Offline Offline

Activity: 34


View Profile
June 19, 2011, 10:04:42 PM
 #60

Wanna bet next leak is going to come from this forum unless it has already been hacked and data taken?

This is would be very profitable target indeed since many people here are likely to use same passwords and usernames as they use in their mails and bitcoin exchanges.
Pages: « 1 2 [3] 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!