Bitcoin Forum
November 19, 2024, 11:09:32 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3] 4 »  All
  Print  
Author Topic: ALL mtgox password has been compromised, change asap, everywhere you used it  (Read 17594 times)
piuk
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1005



View Profile WWW
June 19, 2011, 09:06:27 PM
 #41

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.

bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
June 19, 2011, 09:08:19 PM
 #42

If the salt hasn't been compromised, then the passwords should be safe, no?

That sentence doesn't make sense at all.

Misspelling protects against dictionary attacks NOT
chihlidog
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
June 19, 2011, 09:14:41 PM
 #43

OK, somehow I am on that list. I remember considering signing up for mtgox, but never fully went through with it, and they didnt recognize my email when I tried to use the reset password form, I got the "that email isnt registered here" message. However, I DID get an email from them just a few minutes ago. And my email is on that list. It doenst make sense to me.

I use long passwords, and several different ones for the sites I frequent, and Ive gone and changed most of them, but now Im really paranoid.
bullox
Full Member
***
Offline Offline

Activity: 131
Merit: 100


View Profile
June 19, 2011, 09:23:53 PM
 #44

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.
jesus christ look at those terrible passwords.....
phelix
Legendary
*
Offline Offline

Activity: 1708
Merit: 1020



View Profile
June 19, 2011, 09:27:12 PM
 #45

Someone with a network should email everyone on the list and let them know.
+1

Issue is you'd probably en dup on spam blacklists. Sad
nowadays you can't even send a sixty thousand emails any more...
Man From The Future
Sr. Member
****
Offline Offline

Activity: 371
Merit: 250



View Profile
June 19, 2011, 09:30:57 PM
 #46

Someone with a network should email everyone on the list and let them know.
+1

Issue is you'd probably en dup on spam blacklists. Sad
nowadays you can't even send a sixty thousand emails any more...
I've had too many issues to want to risk it, if you're being sarcastic.

I don't want my VPS blocked from emails, it needs to do ones for the services on it! Tongue

THE ONE STOP SOLUTION FOR THE CRYPTO WORLD
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
Facebook   /  Twitter   /  Reddit   /  Medium   /  Youtube   /
      ▄▄█████████▄▄
   ▄█████████████████▄
  █████▀▀  ███  ▀▀█████
 ████     █████     ████
████     ███████
███▀    ████ ████
███▄   ████   ████
████  ████▄▄▄▄▄████  ████
 ███████████████████████
  █████▄▄       ▄▄█████
   ▀█████████████████▀
      ▀▀█████████▀▀

▄██▀▀▀▀▀▀▀▀▀▀▀▀▀██▄
▄██▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀██▄
▄█▀                       ▀█▄
▄▄▄▄ ▄█                           █▄ ▄▄▄▄
█   ███▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀███   █
▀▀█▀                                 ▀█▀▀
▄▀                                     ▀▄
▄▄▀▄▄▄▄                                 ▄▄▄▄▀▄▄
█       ▀▀▄                           ▄▀▀       █
█          █                         █          █
█▀▀▄▄▄▄▄▄▄███▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀███▄▄▄▄▄▄▄▀▀█
▒▀▄       ██▀▀▀▀▀▀▀▀▀▀▀▀█▀█▀▀▀▀▀▀▀▀▀▀▀▀██       ▄▀▒
▒█▀▀▀▀▄▄  █              ▀              █  ▄▄▀▀▀▀█▒
▒█      █ ▀▄                           ▄▀ █      █▒
▒▀▄▀▄▄▄▄▀  █▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀█  ▀▄▄▄▄▀▄▀▒
▒▒▒▀▄▄▄▄▄ █                             █ ▄▄▄▄▄▀▒▒▒
 ▒▒▒▒▒▒▀▀▀▀▀▄▄▄▄▄▄███████████████▄▄▄▄▄▄▀▀▀▀▒▒▒▒▒▒▒
██
██
██
██
██
██
██
██
██
██
██
██
kokojie (OP)
Legendary
*
Offline Offline

Activity: 1806
Merit: 1003



View Profile
June 19, 2011, 09:32:34 PM
 #47

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.

ZOMG!

testt, letmein, phildick, nandgate, football, spotty...

REALLY PEOPLE???

and a ton of people used "bitcoin" as their password, lol

btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
dmiii
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
June 19, 2011, 09:37:37 PM
 #48

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.
So, MtGox does not us salt... It's really bad. The only good thing they can do is to reset all passwords and revalidate accounts through emails. But in case of passwords that match email ones situation becomes even worse...
dust
Hero Member
*****
Offline Offline

Activity: 840
Merit: 1000



View Profile WWW
June 19, 2011, 09:41:31 PM
 #49

Can anyone see a flaw in this plan? (besides not working for accounts with no email):

1.  All accounts are locked and no one is allowed to log in after mtgox comes back online
2.  An email is sent to account owners with a password reset link
3.  Users can then log into mtgox with no chance of attackers logging in first.

In the meantime:
1.  Change you password ASAP if you used your mtgox password somewhere else.

Also, I saw this on 4chan /g/

Quote
I'm currently cracking.

At the rate I'm going, I should have 3,000 accounts by next week.

I doubt everyone will change there passwords. Aslong as I get there first, I should be able to get a few coins.

I'm glad i used a strong password...

Cryptocoin Mining Info | OTC | PGP | Twitter | freenode: dust-otc | BTC: 1F6fV4U2xnpAuKtmQD6BWpK3EuRosKzF8U
Yeti
Member
**
Offline Offline

Activity: 112
Merit: 10

Firstbits: 1yetiax


View Profile
June 19, 2011, 09:43:12 PM
 #50

We don't know which accounts were really used. For example, do you really think "testuser" has a lot of BTC floating around? I would love to know the account balance to each of these now compromised accounts.

A great lesson in web security!

So, MtGox does not us salt... It's really bad. The only good thing they can do is to reset all passwords and revalidate accounts through emails. But in case of passwords that match email ones situation becomes even worse...

No, that list is a list of cracked passwords that were salted but were so stupidly easy that they got bruteforced in no time!

1YetiaXeuRzX9QJoQNUW84oX2EiXnHgp3 or http://payb.tc/yeti

Since Bitcoin Randomizer is dead, join the Bitcoin Pyramid (referrer id #203)! Be quick, be on top! Instant payout as soon as one of your referrals deposits!
nemo
Sr. Member
****
Offline Offline

Activity: 500
Merit: 253


View Profile
June 19, 2011, 09:45:20 PM
 #51

Fuck. This is legit. 5 minutes after reading the email from MTGox saying they got hacked, They logged into my email and I had to text myself a special code just to get back in and change my password. MTGox needs to fucking burn hard for this. I'm changing everything, they're going to get you too if you don't.
Surtur
Newbie
*
Offline Offline

Activity: 15
Merit: 0


View Profile
June 19, 2011, 09:48:34 PM
 #52

Someone with a network should email everyone on the list and let them know.

I already got an email from mt.gox regarding the hack - so please, do not mail the whole list Wink
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1026



View Profile
June 19, 2011, 09:49:00 PM
 #53

No, the vast majority of the passwords were done properly with md5_crypt().  They will probably never be cracked in any serious number.

The few that have been cracked were all passwords stored using the old unsalted DES based crypt().  Everyone knew that the old school crypt() was unsafe, which was the whole reason for switching to salted md5_crypt().

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
June 19, 2011, 09:50:16 PM
 #54

Quote

Ukrainian government - ROTFL

Misspelling protects against dictionary attacks NOT
malditonuke
Full Member
***
Offline Offline

Activity: 145
Merit: 100


View Profile
June 19, 2011, 09:53:01 PM
 #55

possibly unrelated, but the email account i had associated with mtgox just got locked up.

it looks like someone was trying to access it.
chihlidog
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
June 19, 2011, 09:53:31 PM
 #56

No, the vast majority of the passwords were done properly with md5_crypt().  They will probably never be cracked in any serious number.

The few that have been cracked were all passwords stored using the old unsalted DES based crypt().  Everyone knew that the old school crypt() was unsafe, which was the whole reason for switching to salted md5_crypt().

Could you explain to a layman how we can tell the difference? Looking at the string next my email I'd like to feel a little more secure if I know it was a more secure encryption.
nemo
Sr. Member
****
Offline Offline

Activity: 500
Merit: 253


View Profile
June 19, 2011, 09:54:02 PM
 #57

possibly unrelated, but the email account i had associated with mtgox just got locked up.

it looks like someone was trying to access it.

What are the odds that it would happen to the both of us (MTGox users) at the same time?
bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 103



View Profile
June 19, 2011, 09:54:31 PM
 #58

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.
So, MtGox does not us salt... It's really bad. The only good thing they can do is to reset all passwords and revalidate accounts through emails. But in case of passwords that match email ones situation becomes even worse...

Salt does not help weak passwords.

Misspelling protects against dictionary attacks NOT
malditonuke
Full Member
***
Offline Offline

Activity: 145
Merit: 100


View Profile
June 19, 2011, 10:01:31 PM
 #59

I have already received notification of unusual activity on my email account. The list is being worked...

I pity anyone who used the same password.   Sad
aop
Newbie
*
Offline Offline

Activity: 34
Merit: 0


View Profile
June 19, 2011, 10:04:42 PM
 #60

Wanna bet next leak is going to come from this forum unless it has already been hacked and data taken?

This is would be very profitable target indeed since many people here are likely to use same passwords and usernames as they use in their mails and bitcoin exchanges.
Pages: « 1 2 [3] 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!