Yeti
Member
Offline
Activity: 112
Merit: 10
Firstbits: 1yetiax
|
|
June 19, 2011, 08:48:14 PM |
|
PHP crypt, CRYPT_MD5: http://php.net/crypt
|
|
|
|
Chick (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
June 19, 2011, 08:48:36 PM |
|
I am around 4k!
And I joined in april
Now can someone take that data and calculate how fast bitcoin is growing? (common, let's at least make something useful with the data :/ like, seeing the good side of bad things)
This. Also, it's pretty scary to see my username, email address and password hash in the big list too but there are still a few questions that remain. Does anyone with perhaps a hair more experience than myself recognize the format of these hashes? I can recognize base 64 encoded fields with "$" as a delimiter easily enough, but I haven't taken the time to explicitly generate various hashes from my known password, b64 encode them and compare the results. I can do this later today if I've got the time but I'm kind of hoping that someone else already has The above exercise, if nothing matches, could also prove whether Mt. Gox was actually salting their hashes, which seems doubtful looking at the CSV. Really though I'm with speeder, let's at least identify enough people and their signup dates in this list to imply some good network growth numbers that we might otherwise not have access to. This is really bad... I cracked a few passwords using JohnTheRipper...
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
June 19, 2011, 08:49:13 PM |
|
If they cant get the passwords because they're hashed, then... ummm, how did they do it?
What do you think Bitcoin miners are doing? Cracking hashes. What do you think the passwords are protected with? Hashes. So it's easy to crack hashes passwords, takes a few minutes per password, as long as it takes to crack a new Bitcoin block (about 10 minutes) is how long it takes to crack a hashed password. thats bullshit you ass. miners are bruteforcing to attempt to come up with a number below the target hash. hashes are unbreakable and cannot be reconstructed back into the original password.
|
|
|
|
enmaku
|
|
June 19, 2011, 08:51:06 PM |
|
If they cant get the passwords because they're hashed, then... ummm, how did they do it?
So it's easy to crack hashes passwords, takes a few minutes per password Incorrect. The amount of time it takes is related to the complexity of the password. "monkey" will be found in seconds, but something like "efweug#%_#Tsafwef24g" will take years. Which is why we salt passwords before hashing them. It might take seconds to find "monkey" but it'll take ages to find "monkeyefweug#%_#Tsafwef24g" and the user doesn't have to remember that second part. Really if the database is compromised the salt is in there with the hash so it doesn't help much but it DOES at least make it so that two people using the same password won't both be compromised by simply compromising one of them. It also makes "rainbow tables" (giant tables of common passwords and what they hash to) ineffective.
|
|
|
|
myrkul
|
|
June 19, 2011, 08:55:49 PM |
|
This is really bad... I cracked a few passwords using JohnTheRipper...
I have never been so glad to be broke.
|
|
|
|
kseistrup
|
|
June 19, 2011, 08:56:19 PM |
|
I am curious, how did they get that DB in the first place?
+1
|
Klaus Alexander Seistrup
|
|
|
myrkul
|
|
June 19, 2011, 09:04:07 PM |
|
I am curious, how did they get that DB in the first place?
+1 Turns out: SQL Injection. Sanitize your inputs, kiddies!
|
|
|
|
NO_SLAVE
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 19, 2011, 09:10:46 PM |
|
Incorrect. The amount of time it takes is related to the complexity of the password. "monkey" will be found in seconds, but something like "efweug#%_#Tsafwef24g" will take years.
Wow, glad I changed my password to "efweug#%_#Tsafwef24g" just 2 days ago!
|
|
|
|
bitcoinminer
|
|
June 19, 2011, 09:11:12 PM |
|
wow. Talk about fucked. I second the previous notion of "glad im broke".
|
Be fearful when others are greedy, and greedy when others are fearful.
-Warren Buffett
|
|
|
hiVe
Sr. Member
Offline
Activity: 254
Merit: 250
https://www.soar.earth/
|
|
June 19, 2011, 09:12:11 PM |
|
Nice one, its legit! im surprised. Gotta give it to them, btw where did the OP find this? google?
|
|
|
|
gigitrix
|
|
June 19, 2011, 09:14:53 PM |
|
Interesting to note the malformed records which suggest SQL injection attacks of such simplicity, that an 8 year old 4channer with an automated pentest program could get in. I have only once traded using mtgox, but I'm seriously ticked off right now. I'm seriously angry that MtGox was trusted with so many people's money, was so central to bitcoin itself. As a fellow PHP developer I feel ashamed that people like MtGox bring the rest of us down, making us look like 14 year old script kiddies. I'm ashamed that they have not learned the rudimentary techniques that would be the first lesson in how to successfully secure any website. I'm astounded that a website trading 30 million dollars of value every month is less secure than a web game I built when I was 15. In particular, see these rows (pasted from OpenOfficed CSV so it's turned into tab separation (I will add to this as I find more): 12558 | hehehe\' | 0 | 0 | 0)waitfor delay\'0: | $1$ldybUNj/$jZ5XJRWM8DsOTM3FU9TyN0 | 12557 | hehehe\' | 0 | 0)waitfor delay\'0:0: | $1$TVk6yuVk$IKj5636wmFDwul0J2mtw8. | 30306 | yui9 | &^&% | $1$tRf6y.pr$EWaJXMzwRfyXvq5zI3.y.. |
|
|
|
|
bitclown
|
|
June 19, 2011, 09:16:25 PM |
|
Stopped trading on Empty Gox two weeks ago due to the increasing reports of compromised accounts. I certainly can't see myself going back to trusting Magical Tux' PHP skills with my money after this.
|
|
|
|
jondecker76
|
|
June 19, 2011, 09:18:06 PM |
|
There is a good number of us (meaning good, honest bitcoin users and supporters) that have been reporting that we had BTC stolen for a while now, but they kept denying our claims and blaming us.
I sincerely hope they plan on reimbursing us (I mean come on, its only 20.19 BTC in my case)
|
|
|
|
CharlieContent
|
|
June 19, 2011, 09:23:37 PM |
|
These fucking clowns should have stuck to selling magic the gathering cards.
|
|
|
|
Durr
Newbie
Offline
Activity: 28
Merit: 0
|
|
June 19, 2011, 09:25:25 PM |
|
These fucking clowns should have stuck to selling magic the gathering cards.
true that
|
|
|
|
Bazil
|
|
June 19, 2011, 09:28:09 PM |
|
I don't know I'd be more likely to trust mtgox after this. At least there problems are now known and will be fixed, who knows what the vulnerabilities of the other trade sites are? The only thing that annoys me about this is it publicizes everyone's email addys. Although once upon a time I made a blog from scratch, and I made better PW security than mtgox has, now that is sad.
|
17Bo9a6YpXN2SbwY8mXLCD43Wup9ZE4rwm
|
|
|
frozen
|
|
June 19, 2011, 09:36:00 PM |
|
The good news about this event is that I believe it will lead to a more decentralized exchange setup.
|
|
|
|
skerit
Newbie
Offline
Activity: 20
Merit: 0
|
|
June 19, 2011, 09:38:49 PM |
|
I'm number 905. Don't remember when I signed up really, but I only got into bitcoin once you could get bitcoins from europe. Which was pretty late in the game.
|
|
|
|
Chick (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
June 19, 2011, 09:39:41 PM |
|
These guys deserved their accounts to be hacked...
abcde:abcde endeavormac:endeavormac jallen:jallen shecnu3:shecnu3 edocasper:edocasper demodash:demodash niky89:niky89 hehehe\':NO PASSWORD:$1$ZJVxD1Xi$8MuO2/IEK2ITAOiRVH8nD/:::::: bubbles:bubbles kendomastr:kendomastr BenCardwell1:bencardwell1 test23:test23 test2323:test2323 gibberish:gibberish themandarax:themandarax goodbrod:goodbrod 5FDERZ$:NO PASSWORD:$1$WV1exL20$LGjDyermelSynowyWSjaW0:::::: Pete Butter:butter feefeefeefee:feefeefeefee daniellobel:daniellobel Phantom_Knight:phantom 25toro:25toro sheef1:sheef1 yui9:NO PASSWORD:$1$tRf6y.pr$EWaJXMzwRfyXvq5zI3.y..:::::: Johnster:johnster loppyer:loppyer Amaresh:amaresh MeinSeins@gmx.de:meinseins faceb:faceb mueller:mueller heatherington:Heatherington stupid!:stupid! mintslice:mintslice sfhdusfhd:sfhdusfhd Qba-da-Intrepid:intrepid monkeys:monkeys robot:robot twatty:twatty Mr.LKS:Mr.LKS xxxxx:xxxxx xxxxxxxxx:xxxxx 1qayxcvbnm:1qayxcvbnm
|
|
|
|
myrkul
|
|
June 19, 2011, 09:49:44 PM |
|
Give mine a shot. User ID 11195
I consider the account compromised anyway, and it's empty, regardless... But I would like a difficulty test on my password. Which, to be clear, is unique to Mt. Gox.
|
|
|
|
|