DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE)

[myrkul]

It's clean data. Just a CSV file. Open in Google docs if you're paranoid.

Edit: Too much Starcraft.

[1714006455]

1714006455

[1714006455]

1714006455

[1714006455]

1714006455

[1714006455]

1714006455

[1714006455]

1714006455

[TheBitMan]

Anybody check that csv file for viruses? Or did we just get compromised again?

I don't have excel so opened it in notepad it's clean

[optionstalker]

My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

[hoo2jalu]

MTGOX BREAKING NEWS

We will do one hour with the TradeHill guys LIVE via Skype.... ... BLAH BLAH BLAH

I'm trying to figure out why you think it is acceptable to keep posting this in every thread.  Did you get dropped on your head a lot as a child?

Media whore'ing opportunities like this happen once a lifetim^H^H^Hmonth in bitcoin land!  Gotta make every second and eyeball count!

[scooter]

My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

Mine says 7 decillion years

[Chick]

My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

Mine says 7 decillion years

Repeated asdf over & over!

About 7 septendecillion years.

[Batouzo]

My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

You are using http://howsecureismypassword.net/ and entering your password there?

Let's keep finger crossed the admin of that site is not logging the requests anywhere!  Or his hosting, or possible his and your ISP and all ISP in between if this checker is in http instead https. And people able to buy forged SSL certs for MITM attacks even if it is https.

[Chick]

My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

You are using http://howsecureismypassword.net/ and entering your password there?

Let's keep finger crossed the admin of that site is not logging the requests anywhere!  Or his hosting, or possible his and your ISP and all ISP in between if this checker is in http instead https. And people able to buy forged SSL certs for MITM attacks even if it is https.

Chill, its all server-side. Look at the js.

[martinw79]

It would take
About 14 sextillion years
for a desktop PC to crack your password

lol, sexy...

[TurboK]

Does anyone with perhaps a hair more experience than myself recognize the format of these hashes? I can recognize base 64 encoded fields with "$" as a delimiter easily enough, but I haven't taken the time to explicitly generate various hashes from my known password, b64 encode them and compare the results. I can do this later today if I've got the time but I'm kind of hoping that someone else already has

The above exercise, if nothing matches, could also prove whether Mt. Gox was actually salting their hashes, which seems doubtful looking at the CSV.

Really though I'm with speeder, let's at least identify enough people and their signup dates in this list to imply some good network growth numbers that we might otherwise not have access to.

Input the salt and the password here and check under md5(unix).
http://www.insidepro.com/hashes.php?lang=eng

the format in the csv is $1$salt$password.

[Nescio]

Yeah that's smart, going to some website to check your password LOL. You can bet your ass some people will have referrers pointing back to here and the site will connect the dots, find the password file, tie hash to entered pass, look up email address in file, hack mail and fish for balance when Mt.Gox comes back.

[saqwe]

Incorrect. The amount of time it takes is related to the complexity of the password. "monkey" will be found in seconds, but something like "efweug#%_#Tsafwef24g" will take years.

Wow, glad I changed my password to "efweug#%_#Tsafwef24g" just 2 days ago!

hehe 12390ßqweuio789456 was mine

[Samantha2011]

My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

You are using http://howsecureismypassword.net/ and entering your password there?

Let's keep finger crossed the admin of that site is not logging the requests anywhere!  Or his hosting, or possible his and your ISP and all ISP in between if this checker is in http instead https. And people able to buy forged SSL certs for MITM attacks even if it is https.

Why would you enter your actual passwords into it anyway? At least use a substitution cipher on your password. And if that enhances the security of your password because it contains dictionary words, you're just an idiot. 

[semarjt]

Isn't it ironic that bitcoin mining is essentially also cracking a hash?

No, because that is not at all what bitcoin mining is.

[haydent]

[Update - 2:06 GMT] What we know and what is being done.

    It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
    Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.
    We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.
    Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.
    When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

[JonathanHiggins]

Is it possible to get the list of names etc in alphabetical order?

[Quantumplation]

If they cant get the passwords because they're hashed, then... ummm, how did they do it?

What do you think Bitcoin miners are doing? Cracking hashes.

What do you think the passwords are protected with? Hashes.

So it's easy to crack hashes passwords, takes a few minutes per password, as long as it takes to crack a new Bitcoin block (about 10 minutes) is how long it takes to crack a hashed password.

That's not quite accurate.  Miners are tweaking one value in a block of data in order to find any password WITHIN THE DIFFICULTY.  Finding a hash that is lower than a set value is far easier than finding a very specific existing password.  Essentially, cracking the password would be solving the highest difficulty block possible.  (Also, Miners are working on SHA256, much harder to crack than simple MD5...)

[haydent]

Is it possible to get the list of names etc in alphabetical order?

just import said csv into spreadsheet program and sort that column

[Chick]

LOL @ someone messaging me and wanting this removed. Even if this thread was removed, the file has already been leaked.

If it's out there, you might as well let it be.

[finnthecelt]

I hope you guys are interested in buying Viagra and increasing the size of your penis.

Now that's funny shit. I don't care who you are!!!! Already spammed from a Tradehill promoter. Thrice!!!