ALL mtgox password has been compromised, change asap, everywhere you used it

[piuk]

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.

[bcearl]

If the salt hasn't been compromised, then the passwords should be safe, no?

That sentence doesn't make sense at all.

[chihlidog]

OK, somehow I am on that list. I remember considering signing up for mtgox, but never fully went through with it, and they didnt recognize my email when I tried to use the reset password form, I got the "that email isnt registered here" message. However, I DID get an email from them just a few minutes ago. And my email is on that list. It doenst make sense to me.

I use long passwords, and several different ones for the sites I frequent, and Ive gone and changed most of them, but now Im really paranoid.

[bullox]

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.

jesus christ look at those terrible passwords.....

[phelix]

Someone with a network should email everyone on the list and let them know.

+1

Issue is you'd probably en dup on spam blacklists.

nowadays you can't even send a sixty thousand emails any more...

[Man From The Future]

Someone with a network should email everyone on the list and let them know.

+1

Issue is you'd probably en dup on spam blacklists.

nowadays you can't even send a sixty thousand emails any more...

I've had too many issues to want to risk it, if you're being sarcastic.

I don't want my VPS blocked from emails, it needs to do ones for the services on it!

[kokojie]

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.

ZOMG!

testt, letmein, phildick, nandgate, football, spotty...

REALLY PEOPLE???

and a ton of people used "bitcoin" as their password, lol

[dmiii]

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.

So, MtGox does not us salt... It's really bad. The only good thing they can do is to reset all passwords and revalidate accounts through emails. But in case of passwords that match email ones situation becomes even worse...

[dust]

Can anyone see a flaw in this plan? (besides not working for accounts with no email):

1.  All accounts are locked and no one is allowed to log in after mtgox comes back online
2.  An email is sent to account owners with a password reset link
3.  Users can then log into mtgox with no chance of attackers logging in first.

In the meantime:
1.  Change you password ASAP if you used your mtgox password somewhere else.

Also, I saw this on 4chan /g/

I'm currently cracking.

At the rate I'm going, I should have 3,000 accounts by next week.

I doubt everyone will change there passwords. Aslong as I get there first, I should be able to get a few coins.

I'm glad i used a strong password...

[Yeti]

We don't know which accounts were really used. For example, do you really think "testuser" has a lot of BTC floating around? I would love to know the account balance to each of these now compromised accounts.

A great lesson in web security!

So, MtGox does not us salt... It's really bad. The only good thing they can do is to reset all passwords and revalidate accounts through emails. But in case of passwords that match email ones situation becomes even worse...

No, that list is a list of cracked passwords that were salted but were so stupidly easy that they got bruteforced in no time!

[nemo]

Fuck. This is legit. 5 minutes after reading the email from MTGox saying they got hacked, They logged into my email and I had to text myself a special code just to get back in and change my password. MTGox needs to fucking burn hard for this. I'm changing everything, they're going to get you too if you don't.

[Surtur]

Someone with a network should email everyone on the list and let them know.

I already got an email from mt.gox regarding the hack - so please, do not mail the whole list

[kjj]

No, the vast majority of the passwords were done properly with md5_crypt().  They will probably never be cracked in any serious number.

The few that have been cracked were all passwords stored using the old unsalted DES based crypt().  Everyone knew that the old school crypt() was unsafe, which was the whole reason for switching to salted md5_crypt().

[bcearl]

44hkho@rada.gov.ua

Ukrainian government - ROTFL

[malditonuke]

possibly unrelated, but the email account i had associated with mtgox just got locked up.

it looks like someone was trying to access it.

[chihlidog]

No, the vast majority of the passwords were done properly with md5_crypt().  They will probably never be cracked in any serious number.

The few that have been cracked were all passwords stored using the old unsalted DES based crypt().  Everyone knew that the old school crypt() was unsafe, which was the whole reason for switching to salted md5_crypt().

Could you explain to a layman how we can tell the difference? Looking at the string next my email I'd like to feel a little more secure if I know it was a more secure encryption.

[nemo]

possibly unrelated, but the email account i had associated with mtgox just got locked up.

it looks like someone was trying to access it.

What are the odds that it would happen to the both of us (MTGox users) at the same time?

[bcearl]

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.

So, MtGox does not us salt... It's really bad. The only good thing they can do is to reset all passwords and revalidate accounts through emails. But in case of passwords that match email ones situation becomes even worse...

Salt does not help weak passwords.

[malditonuke]

I have already received notification of unusual activity on my email account. The list is being worked...

I pity anyone who used the same password.   

[aop]

Wanna bet next leak is going to come from this forum unless it has already been hacked and data taken?

This is would be very profitable target indeed since many people here are likely to use same passwords and usernames as they use in their mails and bitcoin exchanges.