DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE)

[IlbiStarz]

Maybe this file is actually a virus/keylogger that will steal your wallet.dat or find your new password once Mt.Gox comes up again? That's the only thing from preventing me from downloading this file.

Really tempted tho...

Or maybe im just stupid/paranoid.

[Chick]

Maybe this file is actually a virus/keylogger that will steal your wallet.dat or find your new password once Mt.Gox comes up again? That's the only thing from preventing me from downloading this file.

Really tempted tho...

Or maybe im just stupid/paranoid.

Dude, its a fucking CSV file. Check the extension, open the URL up in Google Docs if you're too scared.

[WiseOldOwl]

I am not able to get the file, has it been removed or am i just having problems on my end

[cypherdoc]

is there a way to "search" this csv list for my username instead of scrolling 60K names?

[killer2021]

I changed my password the other day when someone said the account was hacked.

[Chick]

is there a way to "search" this csv list for my username instead of scrolling 60K names?

Ctrl + Find. I opened it up in Google Docs.

[airdata]

Oh... nice.. so much for anonymity

how easy is that password hash to crack?
 

[MeowMixer]

is there a way to "search" this csv list for my username instead of scrolling 60K names?

ctrl+f

[bullox]

so obviously its md5, and the salt is contained within db entry, but what method are they using to get the unicode characters back into hex strings that most password crackers utilize for reversing md5?

[Chick]

so obviously its md5, and the salt is contained within db entry, but what method are they using to get the unicode characters back into hex strings that most password crackers utilize for reversing md5?

I don't think they're salting their passwords.

I'm using John The Ripper to crack these worthless "123456" md5-crypt passwords.

[TheBitMan]

I'm a member but I couldn't find mine

[Batouzo]

Which is why we salt passwords before hashing them. It might take seconds to find "monkey" but it'll take ages to find "monkeyefweug#%_#Tsafwef24g" and the user doesn't have to remember that second part. Really if the database is compromised the salt is in there with the hash so it doesn't help much but it DOES at least make it so that two people using the same password won't both be compromised by simply compromising one of them. It also makes "rainbow tables" (giant tables of common passwords and what they hash to) ineffective.

It depends - if (if, I'm not sure how this is in case of mtgox) entire users database was leaked, then usually you also have the salts for each user right there in the database.

On the other hand, if they coded is smartly, they also used extra salt that is only in the source code and not in database  - that one should help indeed.

[DeiBellum]

So, WTF happened to websites being responsible and hashing emails as well?

Just my .02btc

[Otoh]

I do not know if this is real or fake. However, this is an direct download link that I hosted. Please comment...

http://bit.ly/kE3Q4D

[Edit: Holy shit, this is real. I found my email & password in the CSV. Shit just got real...]

I cant believe that.

This is completely against every privacy consideration that this file is openly distributed.

Sig:
>12y experience in trading.
Donations accepted: 14TeeHy4igXUgfnjXmCFG5MwkcRKZRkprS

Please always do your own due diligence, and consult your financial advisor. Never invest unless you can afford to lose your entire investment.

http://twitter.com/BitcoinAnalyst

lols @ Sig irony

[TheBitMan]

is there a way to "search" this csv list for my username instead of scrolling 60K names?

control+f and type in

[Batouzo]

so obviously its md5, and the salt is contained within db entry, but what method are they using to get the unicode characters back into hex strings that most password crackers utilize for reversing md5?

Mother of god...

I'm usually coding a web game page (no money) more securely...

[Caesium]

On the other hand, if they coded is smartly, they also used extra salt that is only in the source code and not in database  - that one should help indeed.

They didn't. My details are in there and I reproduced the hash for my password with the following perl:

#! /usr/bin/perl
$salt = '$1$SALT$'; # this is the at the start of the salted password in the accounts.csv, it's 8 alphanumeric characters
$pw = 'MY_PLAIN_PASSWORD'; # do this on a secure box, you're entering your password into a text editor.
$encpw = crypt($pw, $salt);
print "Encrypted password: $encpw\n";

Observe how the printed hash equals the bit after the salt in the accounts.csv. Thus no hidden salt or trickery.

[PGPpfKkx]

i changed my pass also yesterday, can someone confirm the hack date???

[kjj]

I should point out that the site made a change to improve password security at least several months ago.  Any passwords set after that time are secure.

Their biggest fault was not forcing users to update their passwords at that time.

[F104]

I am not as computer literate as most of you. I have some dumb questions. Please be patient with me.

1. Is the *only* data that has been lost the user names, email and hashed password? Is there any way these people can get at my wallet? (I had nothing at Mt. Gox so I have no worries about that)

2. Can they get at the account from which I sent money to Mt Gox?

3. How could this have happened? I expected a person handling this kind of money would be secured like my bank website. On the other hand, why did everyone trust him?

4. Is Mt. Gox giving any accountability such as taking steps to secure what information has not been lost yet?

5. Luckily I used my Mt Gox password only there. What steps should I take to secure other data I have?

thanks