Bitcoin Forum
December 09, 2016, 04:15:03 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 [4] 5 6 7 »  All
  Print  
Author Topic: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE)  (Read 33723 times)
myrkul
Hero Member
*****
Offline Offline

Activity: 532


FIAT LIBERTAS RVAT CAELVM


View Profile WWW
June 19, 2011, 10:45:43 PM
 #61

at least several months ago.

Need a date, man... That's way too vague.

BTC1MYRkuLv4XPBa6bGnYAronz55grPAGcxja
Need Dispute resolution? Public Key ID: 0x11D341CF
No person has the right to initiate force, threat of force, or fraud against another person or their property. VIM VI REPELLERE LICET
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481256903
Hero Member
*
Offline Offline

Posts: 1481256903

View Profile Personal Message (Offline)

Ignore
1481256903
Reply with quote  #2

1481256903
Report to moderator
phelix
Legendary
*
Offline Offline

Activity: 1680


nmc:id/phelix


View Profile
June 19, 2011, 10:49:46 PM
 #62

comes in handy: look up where you used your compromised password in the firefox saved passwords list  Grin

http://www.howtogeek.com/howto/ubuntu/find-a-forgotten-password-saved-in-firefox/

blockchained.com ■ bitcointalk top posts
Chick
Member
**
Offline Offline

Activity: 70


View Profile
June 19, 2011, 10:52:47 PM
 #63

I am not as computer literate as most of you. I have some dumb questions. Please be patient with me.

1. Is the *only* data that has been lost the user names, email and hashed password? Is there any way these people can get at my wallet? (I had nothing at Mt. Gox so I have no worries about that)

2. Can they get at the account from which I sent money to Mt Gox?

3. How could this have happened? I expected a person handling this kind of money would be secured like my bank website. On the other hand, why did everyone trust him?

4. Is Mt. Gox giving any accountability such as taking steps to secure what information has not been lost yet?

5. Luckily I used my Mt Gox password only there. What steps should I take to secure other data I have?

thanks

1. This is the only data that we know of that was leaked. No, there is no possible way they can get to your wallet unless they got into your computer via a remote connection using your password.

2. If you used the same password, yes.

3. Most likely SQL injection, I'm surprised that in 2011 people are still not using prepared statements for querying the database. Because it is the most popular? Didn't have any problems for a long time.

4. Most likely.

5. If you used the same passwords as the one as Mt. Gox, change it.

kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
June 19, 2011, 10:53:07 PM
 #64

at least several months ago.

Need a date, man... That's way too vague.

I don't know.  I'm just going off the data I have (that everyone has by now).

The newest account that I've found with an old-style hash was #3045.  I signed up about a month ago, and my number is near #10,000.  Since 50,000 of the 60,000 accounts were from the last month, I feel pretty safe saying that the change was more than a month before I signed up.  Closer to that, I can't say.

But it is trivial for anyone to find their own name in the file and check the password hash listed.  Starts with $, probably safe, but think about changing it anyway.  Doesn't start with $, change it now, and change it in every place that you've ever used that password, or one similar to it.

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
pete248
Newbie
*
Offline Offline

Activity: 12


View Profile
June 19, 2011, 10:54:13 PM
 #65

Does anyone know where i can find a program that encrypts a string using the same method as Mt. Gox did? I genuinely cant remember what password i used on Mt Gox (never actually traded on it) but i know its one of several i can remember, so i want to do trial and error to check which one it is Tongue thanks.
EpicFail
Jr. Member
*
Offline Offline

Activity: 45


View Profile
June 19, 2011, 10:56:47 PM
 #66

Can someone try to crack user 16139 please?

I would like to know how strong the password is. I believe it is pretty strong but I could be wrong.
Stephe
Newbie
*
Offline Offline

Activity: 8


View Profile
June 19, 2011, 11:02:23 PM
 #67

Does anyone know where i can find a program that encrypts a string using the same method as Mt. Gox did? I genuinely cant remember what password i used on Mt Gox (never actually traded on it) but i know its one of several i can remember, so i want to do trial and error to check which one it is Tongue thanks.
<?
echo crypt("yourpassword", "$1$"."hash"."$".md5("yourpassword"));
?>
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
June 19, 2011, 11:07:01 PM
 #68

If you have PHP, try this on the command line:

Code:
php -r 'echo crypt("PASSWORD","$1$SALT_FROM_FILE$")."\n";'

There is a similar way to do it in PERL, but I don't know it off the top of my head.

Also, I found an online thingie.  http://crypt.php-functions.com/.  Please note that I didn't test this with my password, because I don't trust it, but if you do trust it, the syntax is:

Code:
echo crypt("PASSWORD","$1$SALT_FROM_FILE$")

Oh, and account 16139 is probably fine.  There are no services that can crack your password short of a brute force attempt.  How long the brute force takes will depend on the length and complexity of your password.  A short password, or one that is in a dictionary, or similar to a dictionary word, will be fairly easy.

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
BubbleBoy
Sr. Member
****
Offline Offline

Activity: 322



View Profile
June 19, 2011, 11:14:06 PM
 #69

I should point out that the site made a change to improve password security at least several months ago.  Any passwords set after that time are secure.

Their biggest fault was not forcing users to update their passwords at that time.

The passwords before ID 3000 that were not changed are plain md5 hashes. Almost all are easily cracked. Example:
id: 642
name: shlax
hash: de434a6e3a01de06657454e07349535c
password: pretorian

The ones starting with $ are MD5 crypt passwords. The 1000 MD5 iterations add about 10 bits of apparent entropy, and the salts prevent parallelisation. If they are good, such passwords survive, but any less than 10 character alphanumeric password is in danger. Any all numeric under 20 digits, and all single case under 15 letters may be also in danger. If it's a dictionary word, forget it.

IMO there's no way to reopen MtGox without forcibly resetting the password on email and/or require proof of ID, coupled with a few weeks frozen accounts in which those who can't access the accounts can complain to support.
Mageant
Legendary
*
Offline Offline

Activity: 1082



View Profile WWW
June 19, 2011, 11:18:30 PM
 #70

Isn't it ironic that bitcoin mining is essentially also cracking a hash?

  ►  NEW ECONOMY MOVEMENT  ◄ 
  100% built from scratch • revolutionary forging mechanism • fairly distributed

BIETCOIN.DE - Kleinanzeigenmarkt für Bitcoin
bullox
Member
**
Offline Offline

Activity: 112


View Profile
June 19, 2011, 11:21:33 PM
 #71

Isn't it ironic that bitcoin mining is essentially also cracking a hash?
Very.   Almost every person in this forum has the necessary hardware to get crackin.
BubbleBoy
Sr. Member
****
Offline Offline

Activity: 322



View Profile
June 19, 2011, 11:28:11 PM
 #72

Quote
Almost every person in this forum has the necessary hardware to get crackin.

It seems it's the most profitable way to "mine", at least for this evening Smiley
BenD
Newbie
*
Offline Offline

Activity: 19



View Profile
June 19, 2011, 11:31:25 PM
 #73

i changed my pass also yesterday, can someone confirm the hack date???

I changed my password on June 18th, 0:42 am (GMT+1, summertime - it is 1:30 am when I post this). The hash in the csv represents my new password.

Edit: Oh sorry, this is of course not yesterday.
grod
Full Member
***
Offline Offline

Activity: 154


View Profile
June 19, 2011, 11:34:23 PM
 #74

I should point out that the site made a change to improve password security at least several months ago.  Any passwords set after that time are secure.

Their biggest fault was not forcing users to update their passwords at that time.

No, they are not secure.  They're slightly MORE secure, assuming good, long, semi-random password with lots of special characters.   Seeing the kinds of passwords a trivial cracking attempt busted I'd say a good portion of the userbase are NOT computer security experts and are NOT picking secure passwords.  Those kinds of people are likely to be re-using the passwords elsewhere and are now going to be in a world of hurt thanks to mtgox.
phelix
Legendary
*
Offline Offline

Activity: 1680


nmc:id/phelix


View Profile
June 19, 2011, 11:43:11 PM
 #75


Does anyone know where i can find a program that encrypts a string using the same method as Mt. Gox did? I genuinely cant remember what password i used on Mt Gox (never actually traded on it) but i know its one of several i can remember, so i want to do trial and error to check which one it is Tongue thanks.

on this site you can create your md5 hash if you are not sure which pw you used or just want to check if it is in there:

http://www.insidepro.com/hashes.php?lang=eng


old hash as in first 3000 users or so on the list:
just enter your password and look at the topmost box next to "MD5"

newer hash starting with $1$:
enter password and salt. you will find your hash at "MD5(Unix)"

salt is between the second and the third $ character:
$1$/gKxns/A$42b18btDR4VVUJR8hOEqW0

hash goes after the third $ character:
$1$/gKxns/A$42b18btDR4VVUJR8hOEqW0

I am in not affiliated in any way with the site and can not tell if they are trustworthy. So only check if your password is weak or you have changed it everywhere else.


blockchained.com ■ bitcointalk top posts
scooter
Member
**
Offline Offline

Activity: 100


View Profile
June 19, 2011, 11:48:52 PM
 #76

Can someone try to crack user 16139 please?

I would like to know how strong the password is. I believe it is pretty strong but I could be wrong.

If you have linux install john the ripper.
You can brute force your hash, or you can load rainbow tables and try that.

When the gawker.com database got hacked I tried my hash for fun to see how long it would take.
Less than 2 hours with 4 cpu cores brute force on an 8 character pass.

Luckily i never use the same password twice so it didnt cause a problem for me.


kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
June 19, 2011, 11:50:42 PM
 #77

I should point out that the site made a change to improve password security at least several months ago.  Any passwords set after that time are secure.

Their biggest fault was not forcing users to update their passwords at that time.

No, they are not secure.  They're slightly MORE secure, assuming good, long, semi-random password with lots of special characters.   Seeing the kinds of passwords a trivial cracking attempt busted I'd say a good portion of the userbase are NOT computer security experts and are NOT picking secure passwords.  Those kinds of people are likely to be re-using the passwords elsewhere and are now going to be in a world of hurt thanks to mtgox.

Even a fairly weak password will take a while to find.  And you don't know in advance which passwords are weak, so you have to try them all, or try them one at a time.  This is bad, but not the end of the world.

Those passwords that have already been cracked were cracked because they were unsalted, which meant they could be stored in a database for lookup.  The rest are salted, and there is no shortcut to them.  The attacker actually has to calculate 1001 MD5 hashes using both the salt, and their current guess.  And unsuccessful guesses are wasted, they do not help on the next guess or the next account.

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
myrkul
Hero Member
*****
Offline Offline

Activity: 532


FIAT LIBERTAS RVAT CAELVM


View Profile WWW
June 19, 2011, 11:53:21 PM
 #78

No, they are not secure.  They're slightly MORE secure, assuming good, long, semi-random password with lots of special characters.   Seeing the kinds of passwords a trivial cracking attempt busted I'd say a good portion of the userbase are NOT computer security experts and are NOT picking secure passwords.  Those kinds of people are likely to be re-using the passwords elsewhere and are now going to be in a world of hurt thanks to mtgox.

Length and option set trumps entropy and # of special characters.
!....1gOd1....! is more secure than as#^%^*($)! despite being easier to remember, and based on a dictionary word.

BTC1MYRkuLv4XPBa6bGnYAronz55grPAGcxja
Need Dispute resolution? Public Key ID: 0x11D341CF
No person has the right to initiate force, threat of force, or fraud against another person or their property. VIM VI REPELLERE LICET
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
June 19, 2011, 11:54:31 PM
 #79

MTGOX BREAKING NEWS

We will do one hour with the TradeHill guys LIVE via Skype.... at 9pm to 10pm ET tonight.

Then, we will do one hour with the MtGox guys LIVE via telephone from Tokyo.... at 10pm to 11pm ET tonight.

Go to http://onlyonetv.com and click the "Watch Live" button now... and join in the Live Chatroom.

See All Time Zones here:  http://goo.gl/ZqQRq

I'm trying to figure out why you think it is acceptable to keep posting this in every thread.  Did you get dropped on your head a lot as a child?

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
brybot
Newbie
*
Offline Offline

Activity: 24


View Profile
June 20, 2011, 12:06:23 AM
 #80

Anybody check that csv file for viruses? Or did we just get compromised again?
Pages: « 1 2 3 [4] 5 6 7 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!