DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE)

[myrkul]

at least several months ago.

Need a date, man... That's way too vague.

[1714823132]

1714823132

[1714823132]

1714823132

[phelix]

comes in handy: look up where you used your compromised password in the firefox saved passwords list  

http://www.howtogeek.com/howto/ubuntu/find-a-forgotten-password-saved-in-firefox/

[Chick]

I am not as computer literate as most of you. I have some dumb questions. Please be patient with me.

1. Is the *only* data that has been lost the user names, email and hashed password? Is there any way these people can get at my wallet? (I had nothing at Mt. Gox so I have no worries about that)

2. Can they get at the account from which I sent money to Mt Gox?

3. How could this have happened? I expected a person handling this kind of money would be secured like my bank website. On the other hand, why did everyone trust him?

4. Is Mt. Gox giving any accountability such as taking steps to secure what information has not been lost yet?

5. Luckily I used my Mt Gox password only there. What steps should I take to secure other data I have?

thanks

1. This is the only data that we know of that was leaked. No, there is no possible way they can get to your wallet unless they got into your computer via a remote connection using your password.

2. If you used the same password, yes.

3. Most likely SQL injection, I'm surprised that in 2011 people are still not using prepared statements for querying the database. Because it is the most popular? Didn't have any problems for a long time.

4. Most likely.

5. If you used the same passwords as the one as Mt. Gox, change it.

[kjj]

at least several months ago.

Need a date, man... That's way too vague.

I don't know.  I'm just going off the data I have (that everyone has by now).

The newest account that I've found with an old-style hash was #3045.  I signed up about a month ago, and my number is near #10,000.  Since 50,000 of the 60,000 accounts were from the last month, I feel pretty safe saying that the change was more than a month before I signed up.  Closer to that, I can't say.

But it is trivial for anyone to find their own name in the file and check the password hash listed.  Starts with $, probably safe, but think about changing it anyway.  Doesn't start with $, change it now, and change it in every place that you've ever used that password, or one similar to it.

[pete248]

Does anyone know where i can find a program that encrypts a string using the same method as Mt. Gox did? I genuinely cant remember what password i used on Mt Gox (never actually traded on it) but i know its one of several i can remember, so i want to do trial and error to check which one it is thanks.

[EpicFail]

Can someone try to crack user 16139 please?

I would like to know how strong the password is. I believe it is pretty strong but I could be wrong.

[Stephe]

Does anyone know where i can find a program that encrypts a string using the same method as Mt. Gox did? I genuinely cant remember what password i used on Mt Gox (never actually traded on it) but i know its one of several i can remember, so i want to do trial and error to check which one it is thanks.

<?
echo crypt("yourpassword", "$1$"."hash"."$".md5("yourpassword"));
?>

[kjj]

If you have PHP, try this on the command line:

Code:

php -r 'echo crypt("PASSWORD","$1$SALT_FROM_FILE$")."\n";'

There is a similar way to do it in PERL, but I don't know it off the top of my head.

Also, I found an online thingie.  http://crypt.php-functions.com/.  Please note that I didn't test this with my password, because I don't trust it, but if you do trust it, the syntax is:

Code:

echo crypt("PASSWORD","$1$SALT_FROM_FILE$")

Oh, and account 16139 is probably fine.  There are no services that can crack your password short of a brute force attempt.  How long the brute force takes will depend on the length and complexity of your password.  A short password, or one that is in a dictionary, or similar to a dictionary word, will be fairly easy.

[BubbleBoy]

I should point out that the site made a change to improve password security at least several months ago.  Any passwords set after that time are secure.

Their biggest fault was not forcing users to update their passwords at that time.

The passwords before ID 3000 that were not changed are plain md5 hashes. Almost all are easily cracked. Example:
id: 642
name: shlax
hash: de434a6e3a01de06657454e07349535c
password: pretorian

The ones starting with $ are MD5 crypt passwords. The 1000 MD5 iterations add about 10 bits of apparent entropy, and the salts prevent parallelisation. If they are good, such passwords survive, but any less than 10 character alphanumeric password is in danger. Any all numeric under 20 digits, and all single case under 15 letters may be also in danger. If it's a dictionary word, forget it.

IMO there's no way to reopen MtGox without forcibly resetting the password on email and/or require proof of ID, coupled with a few weeks frozen accounts in which those who can't access the accounts can complain to support.

[Mageant]

Isn't it ironic that bitcoin mining is essentially also cracking a hash?

[bullox]

Isn't it ironic that bitcoin mining is essentially also cracking a hash?

Very.   Almost every person in this forum has the necessary hardware to get crackin.

[BubbleBoy]

Almost every person in this forum has the necessary hardware to get crackin.

It seems it's the most profitable way to "mine", at least for this evening

[BenD]

i changed my pass also yesterday, can someone confirm the hack date???

I changed my password on June 18th, 0:42 am (GMT+1, summertime - it is 1:30 am when I post this). The hash in the csv represents my new password.

Edit: Oh sorry, this is of course not yesterday.

[grod]

I should point out that the site made a change to improve password security at least several months ago.  Any passwords set after that time are secure.

Their biggest fault was not forcing users to update their passwords at that time.

No, they are not secure.  They're slightly MORE secure, assuming good, long, semi-random password with lots of special characters.   Seeing the kinds of passwords a trivial cracking attempt busted I'd say a good portion of the userbase are NOT computer security experts and are NOT picking secure passwords.  Those kinds of people are likely to be re-using the passwords elsewhere and are now going to be in a world of hurt thanks to mtgox.

[phelix]

Does anyone know where i can find a program that encrypts a string using the same method as Mt. Gox did? I genuinely cant remember what password i used on Mt Gox (never actually traded on it) but i know its one of several i can remember, so i want to do trial and error to check which one it is thanks.

on this site you can create your md5 hash if you are not sure which pw you used or just want to check if it is in there:

http://www.insidepro.com/hashes.php?lang=eng


old hash as in first 3000 users or so on the list:
just enter your password and look at the topmost box next to "MD5"

newer hash starting with $1$:
enter password and salt. you will find your hash at "MD5(Unix)"

salt is between the second and the third $ character:
$1$/gKxns/A$42b18btDR4VVUJR8hOEqW0

hash goes after the third $ character:
$1$/gKxns/A$42b18btDR4VVUJR8hOEqW0

I am in not affiliated in any way with the site and can not tell if they are trustworthy. So only check if your password is weak or you have changed it everywhere else.

[scooter]

Can someone try to crack user 16139 please?

I would like to know how strong the password is. I believe it is pretty strong but I could be wrong.

If you have linux install john the ripper.
You can brute force your hash, or you can load rainbow tables and try that.

When the gawker.com database got hacked I tried my hash for fun to see how long it would take.
Less than 2 hours with 4 cpu cores brute force on an 8 character pass.

Luckily i never use the same password twice so it didnt cause a problem for me.

[kjj]

I should point out that the site made a change to improve password security at least several months ago.  Any passwords set after that time are secure.

Their biggest fault was not forcing users to update their passwords at that time.

No, they are not secure.  They're slightly MORE secure, assuming good, long, semi-random password with lots of special characters.   Seeing the kinds of passwords a trivial cracking attempt busted I'd say a good portion of the userbase are NOT computer security experts and are NOT picking secure passwords.  Those kinds of people are likely to be re-using the passwords elsewhere and are now going to be in a world of hurt thanks to mtgox.

Even a fairly weak password will take a while to find.  And you don't know in advance which passwords are weak, so you have to try them all, or try them one at a time.  This is bad, but not the end of the world.

Those passwords that have already been cracked were cracked because they were unsalted, which meant they could be stored in a database for lookup.  The rest are salted, and there is no shortcut to them.  The attacker actually has to calculate 1001 MD5 hashes using both the salt, and their current guess.  And unsuccessful guesses are wasted, they do not help on the next guess or the next account.

[myrkul]

No, they are not secure.  They're slightly MORE secure, assuming good, long, semi-random password with lots of special characters.   Seeing the kinds of passwords a trivial cracking attempt busted I'd say a good portion of the userbase are NOT computer security experts and are NOT picking secure passwords.  Those kinds of people are likely to be re-using the passwords elsewhere and are now going to be in a world of hurt thanks to mtgox.

Length and option set trumps entropy and # of special characters.
!....1gOd1....! is more secure than as#^%^*($)! despite being easier to remember, and based on a dictionary word.

[kjj]

MTGOX BREAKING NEWS

We will do one hour with the TradeHill guys LIVE via Skype.... at 9pm to 10pm ET tonight.

Then, we will do one hour with the MtGox guys LIVE via telephone from Tokyo.... at 10pm to 11pm ET tonight.

Go to http://onlyonetv.com and click the "Watch Live" button now... and join in the Live Chatroom.

See All Time Zones here:  http://goo.gl/ZqQRq

I'm trying to figure out why you think it is acceptable to keep posting this in every thread.  Did you get dropped on your head a lot as a child?

[brybot]

Anybody check that csv file for viruses? Or did we just get compromised again?