DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE)

[Yeti]

PHP crypt, CRYPT_MD5: http://php.net/crypt

[1714147646]

1714147646

[1714147646]

1714147646

[1714147646]

1714147646

[1714147646]

1714147646

[Chick]

I am around 4k!

And I joined in april


Now can someone take that data and calculate how fast bitcoin is growing? (common, let's at least make something useful with the data :/ like, seeing the good side of bad things)

This.

Also, it's pretty scary to see my username, email address and password hash in the big list too but there are still a few questions that remain.

Does anyone with perhaps a hair more experience than myself recognize the format of these hashes? I can recognize base 64 encoded fields with "$" as a delimiter easily enough, but I haven't taken the time to explicitly generate various hashes from my known password, b64 encode them and compare the results. I can do this later today if I've got the time but I'm kind of hoping that someone else already has

The above exercise, if nothing matches, could also prove whether Mt. Gox was actually salting their hashes, which seems doubtful looking at the CSV.

Really though I'm with speeder, let's at least identify enough people and their signup dates in this list to imply some good network growth numbers that we might otherwise not have access to.

This is really bad... I cracked a few passwords using JohnTheRipper...

[cypherdoc]

If they cant get the passwords because they're hashed, then... ummm, how did they do it?

What do you think Bitcoin miners are doing? Cracking hashes.

What do you think the passwords are protected with? Hashes.

So it's easy to crack hashes passwords, takes a few minutes per password, as long as it takes to crack a new Bitcoin block (about 10 minutes) is how long it takes to crack a hashed password.

thats bullshit you ass.  miners are bruteforcing to attempt to come up with a number below the target hash.  hashes are unbreakable and cannot be reconstructed back into the original password.

[enmaku]

If they cant get the passwords because they're hashed, then... ummm, how did they do it?

So it's easy to crack hashes passwords, takes a few minutes per password

Incorrect. The amount of time it takes is related to the complexity of the password. "monkey" will be found in seconds, but something like "efweug#%_#Tsafwef24g" will take years.

Which is why we salt passwords before hashing them. It might take seconds to find "monkey" but it'll take ages to find "monkeyefweug#%_#Tsafwef24g" and the user doesn't have to remember that second part. Really if the database is compromised the salt is in there with the hash so it doesn't help much but it DOES at least make it so that two people using the same password won't both be compromised by simply compromising one of them. It also makes "rainbow tables" (giant tables of common passwords and what they hash to) ineffective.

[myrkul]

This is really bad... I cracked a few passwords using JohnTheRipper...

I have never been so glad to be broke.

[kseistrup]

I am curious, how did they get that DB in the first place?

+1

[myrkul]

I am curious, how did they get that DB in the first place?

+1

Turns out:
SQL Injection.

Sanitize your inputs, kiddies!

[NO_SLAVE]

Incorrect. The amount of time it takes is related to the complexity of the password. "monkey" will be found in seconds, but something like "efweug#%_#Tsafwef24g" will take years.

Wow, glad I changed my password to "efweug#%_#Tsafwef24g" just 2 days ago!

[bitcoinminer]

wow.  Talk about fucked.  I second the previous notion of "glad im broke".

[hiVe]

Nice one, its legit! im surprised. Gotta give it to them, btw where did the OP find this? google?

[gigitrix]

Interesting to note the malformed records which suggest SQL injection attacks of such simplicity, that an 8 year old 4channer with an automated pentest program could get in. I have only once traded using mtgox, but I'm seriously ticked off right now. I'm seriously angry that MtGox was trusted with so many people's money, was so central to bitcoin itself. As a fellow PHP developer I feel ashamed that people like MtGox bring the rest of us down, making us look like 14 year old script kiddies. I'm ashamed that they have not learned the rudimentary techniques that would be the first lesson in how to successfully secure any website. I'm astounded that a website trading 30 million dollars of value every month is less secure than a web game I built when I was 15.

In particular, see these rows (pasted from OpenOfficed CSV so it's turned into tab separation (I will add to this as I find more):

12558	hehehe\'	0	0	0)waitfor delay\'0:	$1$ldybUNj/$jZ5XJRWM8DsOTM3FU9TyN0
12557	hehehe\'	0	0)waitfor delay\'0:0:	$1$TVk6yuVk$IKj5636wmFDwul0J2mtw8.
30306	yui9	&^&%	$1$tRf6y.pr$EWaJXMzwRfyXvq5zI3.y..

[bitclown]

Stopped trading on Empty Gox two weeks ago due to the increasing reports of compromised accounts. I certainly can't see myself going back to trusting Magical Tux' PHP skills with my money after this.

[jondecker76]

There is a good number of us (meaning good, honest bitcoin users and supporters) that have been reporting that we had BTC stolen for a while now, but they kept denying our claims and blaming us.

I sincerely hope they plan on reimbursing us (I mean come on,  its only 20.19 BTC in my case)

[CharlieContent]

These fucking clowns should have stuck to selling magic the gathering cards.

[Durr]

These fucking clowns should have stuck to selling magic the gathering cards.

true that

[Bazil]

I don't know I'd be more likely to trust mtgox after this.  At least there problems are now known and will be fixed, who knows what the vulnerabilities of the other trade sites are?  The only thing that annoys me about this is it publicizes everyone's email addys.  Although once upon a time I made a blog from scratch, and I made better PW security than mtgox has, now that is sad.

[frozen]

The good news about this event is that I believe it will lead to a more decentralized exchange setup.

[skerit]

I'm number 905. Don't remember when I signed up really, but I only got into bitcoin once you could get bitcoins from europe. Which was pretty late in the game.

[Chick]

These guys deserved their accounts to be hacked...


abcde:abcde
endeavormac:endeavormac
jallen:jallen
shecnu3:shecnu3
edocasper:edocasper
demodash:demodash
niky89:niky89
hehehe\':NO PASSWORD:$1$ZJVxD1Xi$8MuO2/IEK2ITAOiRVH8nD/::::::
bubbles:bubbles
kendomastr:kendomastr
BenCardwell1:bencardwell1
test23:test23
test2323:test2323
gibberish:gibberish
themandarax:themandarax
goodbrod:goodbrod
5FDERZ$:NO PASSWORD:$1$WV1exL20$LGjDyermelSynowyWSjaW0::::::
Pete Butter:butter
feefeefeefee:feefeefeefee
daniellobel:daniellobel
Phantom_Knight:phantom
25toro:25toro
sheef1:sheef1
yui9:NO PASSWORD:$1$tRf6y.pr$EWaJXMzwRfyXvq5zI3.y..::::::
Johnster:johnster
loppyer:loppyer
Amaresh:amaresh
MeinSeins@gmx.de:meinseins
faceb:faceb
mueller:mueller
heatherington:Heatherington
stupid!:stupid!
mintslice:mintslice
sfhdusfhd:sfhdusfhd
Qba-da-Intrepid:intrepid
monkeys:monkeys
robot:robot
twatty:twatty
Mr.LKS:Mr.LKS
xxxxx:xxxxx
xxxxxxxxx:xxxxx
1qayxcvbnm:1qayxcvbnm

[myrkul]

Give mine a shot. User ID 11195

I consider the account compromised anyway, and it's empty, regardless... But I would like a difficulty test on my password. Which, to be clear, is unique to Mt. Gox.