Bitcoin Forum
December 03, 2016, 09:55:33 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: It's Official Mt.Gox Database Leaked :(  (Read 10524 times)
Crs
Member
**
Offline Offline

Activity: 103



View Profile
June 19, 2011, 08:15:37 PM
 #21

61020 accounts.
password hash (FreeBSD MD5 [32/32]
Anonymity... Roll Eyes

If my post has been useful, you might want to donate: 1V7zr2jmQQXS5gv2kKNpUkgG6qmDffTZp
1480758933
Hero Member
*
Offline Offline

Posts: 1480758933

View Profile Personal Message (Offline)

Ignore
1480758933
Reply with quote  #2

1480758933
Report to moderator
1480758933
Hero Member
*
Offline Offline

Posts: 1480758933

View Profile Personal Message (Offline)

Ignore
1480758933
Reply with quote  #2

1480758933
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480758933
Hero Member
*
Offline Offline

Posts: 1480758933

View Profile Personal Message (Offline)

Ignore
1480758933
Reply with quote  #2

1480758933
Report to moderator
1480758933
Hero Member
*
Offline Offline

Posts: 1480758933

View Profile Personal Message (Offline)

Ignore
1480758933
Reply with quote  #2

1480758933
Report to moderator
1480758933
Hero Member
*
Offline Offline

Posts: 1480758933

View Profile Personal Message (Offline)

Ignore
1480758933
Reply with quote  #2

1480758933
Report to moderator
Jarredm
Member
**
Offline Offline

Activity: 63



View Profile
June 19, 2011, 08:18:11 PM
 #22

So does anyone know if the salt was also compromised? Huh  I am in the list and I can confirm that the password column isn't a straight MD5 hash from my password.  However, if the salt has been exposed then it's the same thing as not using one...  
makomk
Hero Member
*****
Offline Offline

Activity: 686


View Profile
June 19, 2011, 08:21:50 PM
 #23

"UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS

We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible."

This isn't good ...




Bear in mind that anything shorter than 8 characters isn't "complex enough" these days, and your password will probably already have been cracked if it is shorter than that. GPUs are very fast at cracking password hashes, even salted ones, and the Bitcoin mining community has a lot of compute power.

Quad XC6SLX150 Board: 860 MHash/s or so.
SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
nodemaster
Full Member
***
Offline Offline

Activity: 176



View Profile WWW
June 19, 2011, 08:24:44 PM
 #24

@grue
yes i took a look.

thought about someone here having access to sufficient rainbow tables to find out my pw in seconds


Dude, if you are looking for people with a hell lot of computing power you are in the right community  Grin
sturle
Legendary
*
Offline Offline

Activity: 1418

http://bitmynt.no


View Profile WWW
June 19, 2011, 08:26:09 PM
 #25

https://rapidshare.com/#!download|359tg2|1969319443|accounts.csv|4023
I checked my own password there.  It is real, and it is an old one.  I changed it a few days ago, and this is the previous one.  Which means the data has been out for a while.

You can check your own password by giving this line to perl:
Code:
print('password', '$1$salt');
where password is your password and salt is the characters between $1$ and the next $ in your encrypted passord.  If the result matches the entire encrypted password, your password is there and it's real.  If only the part between $1$ and $ matches, the password is wrong.  If everything is far off and not even the salt matches, you did something wrong.

Sjå http://bitmynt.no for veksling av bitcoin mot norske kroner.  Trygt, billig, raskt og enkelt sidan 2010.
I buy with EUR and other currencies at a fair market price when you want to sell.  See http://bitmynt.no/eurprice.pl
I support the roadmap.  If a majority of miners ever try to forcefully take control of Bitcoin through a hard fork without 100% consensus, I will immediately split out and dump all my forkcoins, and buy more real Bitcoin.
sturle
Legendary
*
Offline Offline

Activity: 1418

http://bitmynt.no


View Profile WWW
June 19, 2011, 08:30:12 PM
 #26

thought about someone here having access to sufficient rainbow tables to find out my pw in seconds
Rainbow tables will not help in this case, because the passwords are properly salted.  But I'm sure you'll find a lot wit a decent wordlist or a character frequency search.  (Brute force taking most common characters in passwords into account.)

Sjå http://bitmynt.no for veksling av bitcoin mot norske kroner.  Trygt, billig, raskt og enkelt sidan 2010.
I buy with EUR and other currencies at a fair market price when you want to sell.  See http://bitmynt.no/eurprice.pl
I support the roadmap.  If a majority of miners ever try to forcefully take control of Bitcoin through a hard fork without 100% consensus, I will immediately split out and dump all my forkcoins, and buy more real Bitcoin.
Yeti
Member
**
Offline Offline

Activity: 112

Firstbits: 1yetiax


View Profile
June 19, 2011, 08:32:50 PM
 #27

Yup. Confirmed. If you got PHP, give this a try:
Code:
php -r "echo crypt('yourpassword', '\$1\$thesaltfromthelist\$');"

Doesn't hurt to paste the whole salted hash as the 2nd parameter.

1YetiaXeuRzX9QJoQNUW84oX2EiXnHgp3 or http://payb.tc/yeti

Since Bitcoin Randomizer is dead, join the Bitcoin Pyramid (referrer id #203)! Be quick, be on top! Instant payout as soon as one of your referrals deposits!
dooglus
Legendary
*
Offline Offline

Activity: 1988



View Profile
June 19, 2011, 08:36:04 PM
 #28

You can check your own password by giving this line to perl:
Code:
print('password', '$1$salt');
where password is your password and salt is the characters between $1$ and the next $ in your encrypted passord.

I think you typo'ed that.

My line in the accounts file is:
Code:
1449,dooglus,dooglus@gmail.com,$1$WFHWAF9p$T/WxZez30/WCigLRwB2eQ/

and to check my password, I do this in Perl:

Code:
print(crypt('myguess', '$1$WFHWAF9p'));

That comes back with '$1$WFHWAF9p$mQTG1Teo6ojeuyXRYN7Na.' and so my password isn't 'myguess'.

bullox
Member
**
Offline Offline

Activity: 112


View Profile
June 19, 2011, 09:15:49 PM
 #29

However, if the salt has been exposed then it's the same thing as not using one...  

That's not how salts work. The point is that an attacker can do a lot of effort in advance to generate a massive rainbow table containing the hashes of a large set of possible passwords (or in practice, simply pay for access to such a service).

By adding a random nonce (i.e. the salt) to passwords before hashing them, you force the attacker to include all possible nonce values in those passwords. For each extra bit in the nonce, you double the size the rainbow table, quickly making it infeasible to generate one.

So even if the salt is public, it will still do its job in preventing the use of rainbow tables. The attacker will be forced to brute-force by trying all possible passwords in combination with a given nonce just to crack a single password hash.

And the avergae bitcoin enthusiast has a plethora of brute force power available to them.   Wink   Sorry everyone who used mtgox but you should really be not on this forum and out changing pw at every single site that you have ever used even 1 of the items in that database (username, email, or password)
JBDive
Full Member
***
Offline Offline

Activity: 238


View Profile
June 19, 2011, 10:39:56 PM
 #30

I think the point should be made that Mt.Gox was not upfront in saying the username database had been stolen. The single account that was hacked or used is one thing but the release of 61k accounts with or without the password hash being crackable shows a real security concern with the site.

Second this is a goldmine for the IRS as the value of Bitcoins has increased and those who have been trading or hording from the first days and have made a profit must realize income is income to the IRS (US, you insert your own country) and sooner or later it will draw their attention. Now instead of them having to subpoena a server owner in some foreign country they can just subpoena Google for all those GMail accounts listed. Once they start that fishing they won't stop which makes me curious about the username order in the leaked file. If I was in the first 200 and one was to assume the order is oldest to newest and one must also assume the oldest have gained the most, well I might be double checking my tracks for emails related to profit, sales, etc.

For those with business email addresses listed I also would not assume your bosses won't get this list and if your using company resources for mining or anything else I would cover those tracts pretty fast too.
tabshift
Newbie
*
Offline Offline

Activity: 23


View Profile
June 20, 2011, 01:10:39 AM
 #31

It would still be a fishing expedition. I have had a MtGox account for months but I never used their platform for a single trade.

I think the point should be made that Mt.Gox was not upfront in saying the username database had been stolen. The single account that was hacked or used is one thing but the release of 61k accounts with or without the password hash being crackable shows a real security concern with the site.

Second this is a goldmine for the IRS as the value of Bitcoins has increased and those who have been trading or hording from the first days and have made a profit must realize income is income to the IRS (US, you insert your own country) and sooner or later it will draw their attention. Now instead of them having to subpoena a server owner in some foreign country they can just subpoena Google for all those GMail accounts listed. Once they start that fishing they won't stop which makes me curious about the username order in the leaked file. If I was in the first 200 and one was to assume the order is oldest to newest and one must also assume the oldest have gained the most, well I might be double checking my tracks for emails related to profit, sales, etc.

For those with business email addresses listed I also would not assume your bosses won't get this list and if your using company resources for mining or anything else I would cover those tracts pretty fast too.
Jarredm
Member
**
Offline Offline

Activity: 63



View Profile
June 20, 2011, 02:32:34 AM
 #32

However, if the salt has been exposed then it's the same thing as not using one...  

That's not how salts work. The point is that an attacker can do a lot of effort in advance to generate a massive rainbow table containing the hashes of a large set of possible passwords (or in practice, simply pay for access to such a service).

By adding a random nonce (i.e. the salt) to passwords before hashing them, you force the attacker to include all possible nonce values in those passwords. For each extra bit in the nonce, you double the size the rainbow table, quickly making it infeasible to generate one.

So even if the salt is public, it will still do its job in preventing the use of rainbow tables. The attacker will be forced to brute-force by trying all possible passwords in combination with a given nonce just to crack a single password hash.


If that's the case then salting can/should be improved.  I believe that the more secure method would be to keep a lengthy pseudo-random salt a secret, in a datastore that is physically separated from the application DB.  You begin by hashing the user's password with a well known algorithm.  That output will then be hashed again with the pseudo-random salt added to it.  By doing this you would force the attacker to guess at (or create rainbow tables) for not just the password but for each password they would then need to build a table for that output plus each guess at the salt. 

If the salt is long, pseudo-random, and unknown then it would seem that this would be more secure.  Keeping the salt in a separate datastore where only the logon provider has access to it would thereby make it more difficult for an attacker to gain access to the salt.  Even if they gain access to the computer hash outputs.

My thoughts, perhaps they are wrong...


tymothy
Full Member
***
Offline Offline

Activity: 224


View Profile
June 20, 2011, 03:36:12 AM
 #33

The time for anything to crack a 15+ character letter/number non-dictionary password by brute-force is pretty much never at current computing speeds, am I correct?
JBDive
Full Member
***
Offline Offline

Activity: 238


View Profile
June 20, 2011, 04:02:09 AM
 #34

The IRS goes fishing daily and never comes home without a catch. Anyone who has been under their spyglass will tell you it doesn't matter if they find anything or not (and they will), it's the anal probe you get in the meantime that smarts.

It would still be a fishing expedition. I have had a MtGox account for months but I never used their platform for a single trade.

I think the point should be made that Mt.Gox was not upfront in saying the username database had been stolen. The single account that was hacked or used is one thing but the release of 61k accounts with or without the password hash being crackable shows a real security concern with the site.

Second this is a goldmine for the IRS as the value of Bitcoins has increased and those who have been trading or hording from the first days and have made a profit must realize income is income to the IRS (US, you insert your own country) and sooner or later it will draw their attention. Now instead of them having to subpoena a server owner in some foreign country they can just subpoena Google for all those GMail accounts listed. Once they start that fishing they won't stop which makes me curious about the username order in the leaked file. If I was in the first 200 and one was to assume the order is oldest to newest and one must also assume the oldest have gained the most, well I might be double checking my tracks for emails related to profit, sales, etc.

For those with business email addresses listed I also would not assume your bosses won't get this list and if your using company resources for mining or anything else I would cover those tracts pretty fast too.
JBDive
Full Member
***
Offline Offline

Activity: 238


View Profile
June 20, 2011, 02:53:40 PM
 #35

Appears Mt.Gox has come clean with the problem or hack pathway. He has also explained why only some passwords have been found to be plain text or crackable vs. the salted hashed passwords although he appears to be cranking up the strength of those hashes now.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!