mjsbuddha
Sr. Member
 Offline
Activity: 336
Merit: 250
yung lean
|
 |
June 19, 2011, 10:00:39 PM |
|
got the same. thought i wasnt using the same passwords across sites, i changed them all anyway. just to be safe
|
|
|
|
|
|
|
|
If you see garbage posts (off-topic, trolling, spam, no point, etc.), use the "report to moderator" links. All reports are investigated, though you will rarely be contacted about your reports.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
jatajuta
|
|
June 19, 2011, 10:01:48 PM |
|
Had received the code and my gmail account is fine.
It can be gmail security for this leak event or just suspicious acticity on the web trying to access my account.
|
|
|
|
jibjabz
Newbie
Offline
Activity: 59
Merit: 0
|
|
June 19, 2011, 10:05:50 PM |
|
Same here. Good luck cracking my password.
I'll give you a headstart.
Listed salt $1$ZBJdbkqZ$
Listed hash MD/Ln/Ro/cOFIPpWYMHpA.
My password starts with a letter, ends with a number, has a symbol, and more than 15 characters.
If you crack it and post it here I'll send you the remainder of my mtgox funds ($500)
1. Where'd you download/get this info? 2. Assuming I know my password is one of two things can I figure out what it is using this? Not sure why but my IP was banned yesterday so I logged in from a different location (worked fine) and changed my password. I'm not sure if my old password or new one is in the data that was stolen. Either one is ~18 characters. Am I pretty safe either way or is it true that these aren't as well salted as mtgox claims? |
|
|
|
|
Maged
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
June 19, 2011, 10:06:02 PM |
|
I told Mike about this thread, but he hasn't responded yet.
Anyway, our resident Google employee is currently locking every account on the MtGox list.
<TD> yep, sorry folks
<TD> there's no way to know which passwords will get reversed and found to be shared over the next 24 hours or so
<TD> this is a standard procedure when faced with password leaks
|
|
|
|
tabshift
Newbie
Offline
Activity: 23
Merit: 0
|
|
June 19, 2011, 10:06:53 PM |
|
I just had this happen to my account too.. frozen out of Gmail when trying to login. I had to verify my identity via a SMS.
|
|
|
|
|
ribuck
Donator
Hero Member
Offline
Activity: 826
Merit: 1039
|
|
June 19, 2011, 10:09:06 PM |
|
Google froze my Gmail account until I revalidated it by SMS. I guess someone is trying the cracked MtGox passwords against the corresponding Gmail accounts. Luckily my passwords are both very strong, and are different.
|
|
|
|
|
DamienBlack
Jr. Member
Offline
Activity: 56
Merit: 1
|
|
June 19, 2011, 10:12:48 PM |
|
I told Mike about this thread, but he hasn't responded yet.
Anyway, our resident Google employee is currently locking every account on the MtGox list.
<TD> yep, sorry folks
<TD> there's no way to know which passwords will get reversed and found to be shared over the next 24 hours or so
<TD> this is a standard procedure when faced with password leaks
The fact that gmail, of all places, responded within an hour of mt gox, just goes to show how awesome they are on security. |
|
|
|
|
Mike Hearn
Legendary
Offline
Activity: 1526
Merit: 1128
|
|
June 19, 2011, 10:14:57 PM |
|
Hi guys,
The reason your Google accounts have been required to change the password is that you appeared in a list of public MtGox accounts. We do understand that you may not have been sharing your passwords, unfortunately as they were leaked in hashed form it is hard to know which ones will be found to be sharing passwords and which won't - this will be found out by brute forcers over the next 24-48 hours.
Again, apologies for the inconvenience, we know that choosing new passwords is a pain. Requiring password rotations is not a decision we take lightly. However this is standard procedure for credentials leaks. It is to avoid accounts showing up in the black market for hacked passwords, as Gmail account access can be used to obtain access at other sites (PayPal, Facebook, etc).
thanks,
Mike
Google abuse/anti-hijack team
|
|
|
|
|
tabshift
Newbie
Offline
Activity: 23
Merit: 0
|
|
June 19, 2011, 10:17:26 PM |
|
My respect for Google has only increased due to this quick response. Thank you! Hi guys,
The reason your Google accounts have been required to change the password is that you appeared in a list of public MtGox accounts. We do understand that you may not have been sharing your passwords, unfortunately as they were leaked in hashed form it is hard to know which ones will be found to be sharing passwords and which won't - this will be found out by brute forcers over the next 24-48 hours.
Again, apologies for the inconvenience, we know that choosing new passwords is a pain. Requiring password rotations is not a decision we take lightly. However this is standard procedure for credentials leaks. It is to avoid accounts showing up in the black market for hacked passwords, as Gmail account access can be used to obtain access at other sites (PayPal, Facebook, etc).
thanks,
Mike
Google abuse/anti-hijack team
|
|
|
|
|
rdonohoe (OP)
Newbie
Offline
Activity: 37
Merit: 0
|
|
June 19, 2011, 10:18:05 PM |
|
Hi guys,
The reason your Google accounts have been required to change the password is that you appeared in a list of public MtGox accounts. We do understand that you may not have been sharing your passwords, unfortunately as they were leaked in hashed form it is hard to know which ones will be found to be sharing passwords and which won't - this will be found out by brute forcers over the next 24-48 hours.
Again, apologies for the inconvenience, we know that choosing new passwords is a pain. Requiring password rotations is not a decision we take lightly. However this is standard procedure for credentials leaks. It is to avoid accounts showing up in the black market for hacked passwords, as Gmail account access can be used to obtain access at other sites (PayPal, Facebook, etc).
thanks,
Mike
Google abuse/anti-hijack team
Thank you Google for your diligence. |
|
|
|
|
TheSocialHermit
Newbie
Offline
Activity: 42
Merit: 0
|
|
June 19, 2011, 10:18:17 PM |
|
Yea same happened with my secondary gmail account. Mt Gox is in the shit now. I'm lucky I haven't done any business with them so I haven't lost anything other than trust in their systems.
|
|
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1009
|
|
June 19, 2011, 10:21:40 PM |
|
Situations like this are why I'm glad all of my passwords are different and random.
|
|
|
|
|
|
Herodes
|
|
June 19, 2011, 10:26:04 PM |
|
All passwords should be different and random. Use something like keepass to keep track of your passwords.
The reason you get the g-mail warning "Unusual acitivity detected" or something similar is because your e-mail is on the list on leaked e-mails from the mtGox db compromise. So If you have used the same password for mtGox and gmail for instance, this is used to protect the users so that in the event someone bruteforces the password hash in that leaked list, they will not have access to your gmail-account. Of course if you used the same password for both mtgox.com and gmail, you should stop doing something like that in the future.
The source of confusion is that google has only given a generic message, and not a specific one, perhaps this is just their policy, I don't know, but I think it would be better to give a more detailed explanation to keep people from getting worried.
Most likely your gmail account is not compromised at all.
|
|
|
|
|
palmertech
Newbie
Offline
Activity: 22
Merit: 0
|
|
June 19, 2011, 10:30:31 PM |
|
I just got this notification, too, so I guess someone must be going through all the accounts that got leaked.  Had to do a phone verification, and I also got notification from eBay, to boot! Luckily, I use different passwords. I think I am done with MtGox. |
|
|
|
|
Bunghole
Member
Offline
Activity: 64
Merit: 10
|
|
June 19, 2011, 10:31:23 PM |
|
I'm in the CSV file and my email account now appears to be suspended. For privacy reasons, I don't want to name the email provider, but I will say that it is a smaller one that most have probably never heard of. I'm guessing that someone is trying to brute-force their way in - the email provider noticed it and suspended my account for now. But strangely, I can still log into my provider's website - just can't receive mail.
|
|
|
|
|
|
Slab Squathrust
|
|
June 19, 2011, 10:33:10 PM |
|
Still waiting on mine. I changed all passwords as a precaution just because. Its a shame that the email address is out there though. I'm looking forward to cheap viagra and other dick enhancement offers.
|
|
|
|
|
Bunghole
Member
Offline
Activity: 64
Merit: 10
|
|
June 19, 2011, 10:43:45 PM |
|
I want to point out that my email account is NOT gmail yet was suspended shortly after the CSV file was published. So, that couldn't be due to the Google employee's help. Someone must be trying to brute-force their way into my account. I'm in the CSV file and my email account now appears to be suspended. For privacy reasons, I don't want to name the email provider, but I will say that it is a smaller one that most have probably never heard of. I'm guessing that someone is trying to brute-force their way in - the email provider noticed it and suspended my account for now. But strangely, I can still log into my provider's website - just can't receive mail.
|
|
|
|
|
|
Litt
|
|
June 19, 2011, 10:43:53 PM |
|
Hi guys,
The reason your Google accounts have been required to change the password is that you appeared in a list of public MtGox accounts. We do understand that you may not have been sharing your passwords, unfortunately as they were leaked in hashed form it is hard to know which ones will be found to be sharing passwords and which won't - this will be found out by brute forcers over the next 24-48 hours.
Again, apologies for the inconvenience, we know that choosing new passwords is a pain. Requiring password rotations is not a decision we take lightly. However this is standard procedure for credentials leaks. It is to avoid accounts showing up in the black market for hacked passwords, as Gmail account access can be used to obtain access at other sites (PayPal, Facebook, etc).
thanks,
Mike
Google abuse/anti-hijack team
Preemptive actions before things really get out of hand. Now that is a sound business practice right here. |
|
|
|
|
|
Dansker
|
|
June 19, 2011, 10:44:41 PM |
|
Just verified mine too...
I will never use mtgox again, any website that doesn't protect my email adress can go fuck itself.
|
|
|
|
|
interfect
|
|
June 19, 2011, 10:48:20 PM |
|
Hi guys,
The reason your Google accounts have been required to change the password is that you appeared in a list of public MtGox accounts. We do understand that you may not have been sharing your passwords, unfortunately as they were leaked in hashed form it is hard to know which ones will be found to be sharing passwords and which won't - this will be found out by brute forcers over the next 24-48 hours.
Again, apologies for the inconvenience, we know that choosing new passwords is a pain. Requiring password rotations is not a decision we take lightly. However this is standard procedure for credentials leaks. It is to avoid accounts showing up in the black market for hacked passwords, as Gmail account access can be used to obtain access at other sites (PayPal, Facebook, etc).
thanks,
Mike
Google abuse/anti-hijack team
Thanks! It would be nice to get a better message than "unusual activity", though, seeing as how, in this instance, there was (presumably) no actual activity on the account that led to the lock. Maybe something like "A password for an account at <site> associated with this e-mail address has been leaked. Your Google password has been invalidated to protect your account" or some such. |
|
|
|
|
|
