Mt.Gox Accounts and passwords released, impact to BTC econ

[icaci]

I looked at that password list. Only around 1800 passwords were kept in regular md5, those are piss easy to crack (see http://www.md5decrypter.co.uk/ if you don't have a rainbow table setup already). The other 60000 were using some other format I did not recognize, though possibly by my own fault... they remind me of Wordpress passwords. It's probably some combined multiple md5 + hash, so I'd think that they are difficult if not impossible to crack, especially if you used a password that is long enough with a wide enough character set.

The danger for password reuse is very real though. It is in theory possible to find a less secure password from some site you signed up to, recover the password from there, and use it at mtgox with your username. So if you use the same password at mtgox or anywhere else, you'll NEED to change passwords. Otherwise you are fairly safe, provided your account is not one of those with regular md5 hashes (the ones not starting with $1$whatever are regular md5s).

$1$salt$hash is the standard FreeBSD MD5-based crypt() format. It was first developed for FreeBSD back in the days when export of DES code outside USA was forbidden. Then all major Unix variants switched to using it as it is much more secure than the original Unix DES-based crypt() and allows passwords longer than 8 symbols. It employs fixed number of salted MD5 rounds and is considered fairly secure given that lots of special symbols and combination of upper and lowercase letters are used. There is another Blowfish-based variant from OpenBSD that is clearly recognisable by the $2$ sentinel. It is much stronger as it takes a lot more CPU/GPU power to compute it compared to the MD5-based one.

[1714033473]

1714033473

[1714033473]

1714033473

[1714033473]

1714033473

[1714033473]

1714033473

[Bit_Happy]

I submitted my first coin to mtgox last night and now it's saying my account doesn't exist. I hope I get my account and my 1 BTC back.

The site is down, don't worry.

[TurboK]

I looked at that password list. Only around 1800 passwords were kept in regular md5, those are piss easy to crack (see http://www.md5decrypter.co.uk/ if you don't have a rainbow table setup already). The other 60000 were using some other format I did not recognize, though possibly by my own fault... they remind me of Wordpress passwords. It's probably some combined multiple md5 + hash, so I'd think that they are difficult if not impossible to crack, especially if you used a password that is long enough with a wide enough character set.

The danger for password reuse is very real though. It is in theory possible to find a less secure password from some site you signed up to, recover the password from there, and use it at mtgox with your username. So if you use the same password at mtgox or anywhere else, you'll NEED to change passwords. Otherwise you are fairly safe, provided your account is not one of those with regular md5 hashes (the ones not starting with $1$whatever are regular md5s).

$1$salt$hash is the standard FreeBSD MD5-based crypt() format. It was first developed for FreeBSD back in the days when export of DES code outside USA was forbidden. Then all major Unix variants switched to using it as it is much more secure than the original Unix DES-based crypt() and allows passwords longer than 8 symbols. It employs fixed number of salted MD5 rounds and is considered fairly secure given that lots of special symbols and combination of upper and lowercase letters are used. There is another Blowfish-based variant from OpenBSD that is clearly recognizable by the $2$ sentinel. It is much stronger as it takes a lot more CPU/GPU power to compute it compared to the MD5-based one.

You learn something new every day.
So, the $1$salt$ part is the salt, and it is computed (roughly) by salt + password = hash, then hash + salt + password = hash 2, and so on, repeating 1000 times, and the result is then encoded into a unix DES hash? Doesn't sound too safe, since the salt is known, but I guess it means that bruteforcing takes, theoretically, 1000 times longer. This should knock off 2-3 letters from the length of password that is still viable to bruteforce. But it's true that even if someone cracks just 1 account with a weak password, they can get a killing.

The irony is, if someone has the processing power to bruteforce the majority of these passwords, they could already get money just by mining bitcoins.

[Philj]

Checked, and mine was on the list 

Went and changed other accounts even though the exact same PW wasn't used it was based on an algorithm.

Lets hope this doesn't totally crash the market when things come back on line.

[frutza]

Usernames and emails were released, indeed. Passwords were NOT, only the hashes.
Weak passwords can be obtained from the hashes. Strong ones - not really, it's kind of hard 

My two BTcents: login to your account as soon as you can and change your password to something resembling a bitcoin address.
That should be hard enough to get from it's hash 

[frutza]

Oh, and expect some spam emails in the future! Maybe nigerian letters involving bitcoins?

[TurboK]

Oh, and expect some spam emails in the future! Maybe nigerian letters involving bitcoins?

greetings i am a Nigerian emperor and it appears that you are entitled to a part of my sacred golden lamb flock!! plese send me your name, address and secuirty of social number and i will have my unics contact you tomorw or at your best convience!
-Jalathalqualruaumqama

[Justsomeforumuser]

There really isn't anything I could say or repeat on this subject that comes as close as what reality is doing to people right now.

[chungenhung]

and i bet there will be people switching their BTC mining operation to password cracking operation.

[chadqberry]

The emails are already flooding.. MtGox scams to trick you into installing a new bitcoin client (which is infected) as well as some lame @ss trying to get you to register at Tradehill using his referral number.

[jgraham]

Usernames and emails were released, indeed. Passwords were NOT, only the hashes.
Weak passwords can be obtained from the hashes. Strong ones - not really, it's kind of hard 

Just ran oclHashcat on my hash and the 6990 gave an estimate of 100 years (both cores).  Not feeling so bad about that.

[frutza]

Not bad, but what about those mining ops who have hundreds of cards? What if THEY turn to cracking? 
Hail the emperor above!!!

[frutza]

Why won't you guys save the time, electricity and cracking/spamming effort, and send me all your bitcoins now? Oops, forgot I don't have an address in my signature...

[unixdude]

It will impact them and for the worst. It highlights the fact that the exchanges are not secure and until they are, they should not be used or used with extreme caution.

[Grant]

It highlights the fact that the exchanges are not secure and until they are, they should not be used or used with extreme caution.

I'm afraid extreme caution will be the result here, consequently that means: higher spreads, lower liquidity, lower price. Until confidence is restored.

[hugolp]

It highlights the fact that the exchanges are not secure and until they are, they should not be used or used with extreme caution.

I'm afraid extreme caution will be the result here, consequently that means: higher spreads, lower liquidity, lower price. Until confidence is restored.

Trading websites have been hacked. They have reverted the trades, and nothing big has happened. I dont see why it would be very different in this case. Hopefully this will make people go towards more serious exchanges.

[klayus]

I've got a problem. my account was on the list but when i try to login to change my password it says the account dosent exist. did that happen to everyone or just me? have I lost my bitcoins???

best regards

[imperi]

I've got a problem. my account was on the list but when i try to login to change my password it says the account dosent exist. did that happen to everyone or just me? have I lost my bitcoins???

best regards

You can't login yet. I think you are referring to the help forum which is a separate registration, I think.

[LokeRundt]

Dear Sir or Madam,


A few hours ago the Bitcoin trading website Mt Gox has been hacked. Malicious individuals have been able to obtain a database containing usernames, email address and encrypted passwords. This information has been posted publicly on the internet.

As a Bitcoin supporter I'm now sending a message to every email address contained in the hacked database. This is to warn you that your username, email address and password have been leaked. I therefore strongly advice you to change your passwords. If you have used the same passwo ???rd on different websites it's highly recommended to change your password on all of your accounts!

For a more secure alternative to Mt Gox, the community appears to be moving to TradeHill. So this is no reason to lose faith in Bitcoin itself. It must be seen as a warning that not every website can be trusted with your data however! Their link is http://www.tradehill.com/?r=TH-R15683 (Note: You can remove the Referral Code when registering if you want!) This is certainly not the only website where you can exchange Bitcoins, also check out http://www.thebitcoinlist.com/dp_bitcoin/bitcoin-exchange/


Sincerely,

A Bitcoin supporter
1CWSjov2N7ix41bZ8bJfHXkdLLbkUsG9Y7

So what I want to know is, how the fuck does this "sincere" bitcoin supporter get my email address?  I had an account with Mt.Gox, but didn't even trade with them.

Nm, didn't realize I had an active link to my email on this board.  *le sigh*

EDIT:  But to further thicken the plot, in my account-related settings, the box labeled "Hide email address from public" is checked. . . .hmmmmmmmmmmm *navigates over to the meta subforum*

[DukeOfEarl]

where is user of number 51190 in the file?!

This is the most brilliant insight I've read so far.  The hacker likely had a login on mtgox and probably deleted themselves before release.

That said, 51190 is in there:

51190   tgibbsz32   tgibbsz32@gmail.com   $1$9eZ.kSvA$fshZ6R1jkNtlllW10Sxpp/