Bitcoin sites leaked :( - Big bitcoin members emails database

johncarpe64

sr. member

Activity: 420

Merit: 250

Quote from: jl2035 on September 03, 2014, 11:04:34 AM

Quote from: dadaas on August 17, 2014, 11:52:20 PM

Quote from: Aurum on August 15, 2014, 06:51:02 AM

Yes, them use md5, the auroracoin forum use the traditional forum salt that is more hard to decrypt.

but with a good pay decoder with trillion hashes decode it no can be hard.

examples (hashes get from freecoinworld):
30fca77cebf16fe3c5b5b4db4371dee4 - cinta3segi
842df9fecdc99ad5aea6deb7ab117ae0 - me4ta12345

One question, how does anybody crack those codes? Isn't it right that it takes long time to bruteforce those codes? Isn't that the whole point of hashing passwords, to make them practically uncrackable?

At least this guy is doing it:

http://redd.it/2erai6

The point is that it does take some effort (computing power) in order to crack a hashed password. With that being said, it is possible to make an unlimited number of attempts to crack the password, while if you were trying to log in via a website you would be limited as to your total number of attempts and the time between attempts.

jbreher

legendary

Activity: 3024

Merit: 1640

lose: unfind ... loose: untight

Quote from: C. Bergmann on September 03, 2014, 01:48:48 PM

The "hacker" was unaible to proof anything.

I'd counter that he proved that he is untrustworthy scum.

Kickstart4

member

Activity: 67

Merit: 10

Security is such an important aspect today. I am glad I am not listed there.

I keep changing passwords every few days too.

C. Bergmann

hero member

Activity: 803

Merit: 500

Quote from: richardramirez9 on September 03, 2014, 12:30:55 PM

Bitcoin.de = imposible they hacked it unless inside job.

As Oliver pointed out: there has been no hack. The "hacker" was unaible to proof anything.

richardramirez9

member

Activity: 84

Merit: 10

Bitcoin.de = imposible they hacked it unless inside job.

jl2035

full member

Activity: 146

Merit: 100

Quote from: dadaas on August 17, 2014, 11:52:20 PM

Quote from: Aurum on August 15, 2014, 06:51:02 AM

Yes, them use md5, the auroracoin forum use the traditional forum salt that is more hard to decrypt.

but with a good pay decoder with trillion hashes decode it no can be hard.

examples (hashes get from freecoinworld):
30fca77cebf16fe3c5b5b4db4371dee4 - cinta3segi
842df9fecdc99ad5aea6deb7ab117ae0 - me4ta12345

One question, how does anybody crack those codes? Isn't it right that it takes long time to bruteforce those codes? Isn't that the whole point of hashing passwords, to make them practically uncrackable?

At least this guy is doing it:

http://redd.it/2erai6

CreamyPie

member

Activity: 61

Merit: 10

This is the reason why security is so much essential. Being ignorant is not an option

Its recommended by experts to change password every few days, I follow them

dadaas

sr. member

Activity: 490

Merit: 250

Super Smash Bros. Ultimate Available Now!

Quote from: bitkojnek on August 22, 2014, 06:18:18 PM

I bought it Grin

I bought the freecoin and qoinpro date, sure all is fine, now preparing the spam text heheheheh. It will delay some time since 600k emails is a big daten.

Someone already bought the bitcoin.de? It's real? I want to buy it but 10 btc to high, if it's fake i don't can afford 10 btc. Please if someone really bought it talk here if that is real.

You will use those databases only for spam email? Somehow I don't think you will just do that.

So can you log in any account from freeco.in and qoinpro? Are those DBs real?

Mightycoin

member

Activity: 82

Merit: 10

That sucks. That's why security is so much essential. Better change password twice every week

bitkojnek

newbie

Activity: 14

Merit: 0

I bought it Grin

I bought the freecoin and qoinpro date, sure all is fine, now preparing the spam text heheheheh. It will delay some time since 600k emails is a big daten.

Someone already bought the bitcoin.de? It's real? I want to buy it but 10 btc to high, if it's fake i don't can afford 10 btc. Please if someone really bought it talk here if that is real.

ikank268

newbie

Activity: 2

Merit: 0

oh no, how they have the email account and know the passwords Huh

?? it's like nightmare Embarrassed

allyouracid

legendary

Activity: 2320

Merit: 1292

Encrypted Money, Baby!

Quote from: dadaas on August 15, 2014, 06:12:07 AM

I've just checked other 3 files they are offering for free and all paswords are hashed in databases. No need to worry at all if your password is long enough.

Just for the sake of clarity, I did a quick rainbow tables check on some md5-hashed passwords from one of those dumps (the site which is already closed). Three out of ten hashed passwords (!) with an amount of altogether way more than 10 BTC could be converted back to plaintext. If I had more than five BTC in my account, I wouldn't use "johnjohn" as my password. So guys, hold on strong passwords, e.g. use calculated passwords which are different for each website (e.g. calculate them with a set of letters, numbers etc and the URL of the site or something like that, so they are not the same, but you can calculate them). Not to talk about 2FA.

And, to make sure that your passwords are safe, do a rainbow tables check on it. Important: download the tables and do it on your pc, never put your password into an online rainbow tables website, as there are many sites which just wait for you to enter your password, so they can md5 it and get the correct hash for the password (so there isn't even any need to calculate the hash back into the password, because you already gave it to them).

One more statement: I'd never steal BTC/money/anything from anybody.

.edit:
Neither the amounts nor the password "johnjohn" is what I have found. Don't want to support people trying to steal bitcoins.

Cortex7

full member

Activity: 238

Merit: 106

Quote from: Remember remember the 5th of November on August 18, 2014, 05:23:37 PM

Only that for even faster performance, it would be implemented in OpenCL. Hashcat already has, though.

Of course you're right! just using PHP like pseudocode because many understand it.

Remember remember the 5th of November

legendary

Activity: 1862

Merit: 1011

Reverse engineer from time to time

Quote from: Cortex7 on August 18, 2014, 05:21:46 PM

@Razicks PHP func, modified to crack a whole dbase of hashes at once:

Code:

// these are the hashes of the passwords I'm trying to break
$hash_to_crack = array();
$hash_to_crack[] = '30fca77cebf16fe3c5b5b4db4371dee4';
$hash_to_crack[] = '40fceb6cebf16fec15b5b4db4371cef4';
// many more hashes, the entire dbase.
$hash_to_crack[] = '50fca4cebf146fe3c5b5b4db4371bbe4';

$attempt = NULL;
$hashes = sizeof($hash_to_crack);
while (true)
{
// $this->next_try would be a method designed to supply the next possible password.
$attempt = md5($this->next_try);

// compare the next hash to the target hash
for($hash_num = 0; $hash_num < $hashes; $hash_num++)
{
if ($attempt == $hash_to_crack[$hash_num])
{
echo("FOUND PASSWORD $attempt");
echo("FOR HASH " . ($hash_to_crack[$hash_num]));
echo(PHP_EOL);
}
}
}

Only that for even faster performance, it would be implemented in OpenCL. Hashcat already has, though.

Cortex7

full member

Activity: 238

Merit: 106

@Razicks PHP func, modified to crack a whole dbase of hashes at once:

Code:

// these are the hashes of the passwords I'm trying to break
$hash_to_crack = array();
$hash_to_crack[] = '30fca77cebf16fe3c5b5b4db4371dee4';
$hash_to_crack[] = '40fceb6cebf16fec15b5b4db4371cef4';
// many more hashes, the entire dbase.
$hash_to_crack[] = '50fca4cebf146fe3c5b5b4db4371bbe4';

$attempt = NULL;
$hashes = sizeof($hash_to_crack);
$cracked = 0;
$pass = "";

while ($cracked < $hashes)
{
   // $this->next_try would be a method designed to supply the next possible password.
$pass = $this->next_try
   $attempt = md5($pass);

   // compare the next hash to the target hash
   for($hash_num = 0; $hash_num < $hashes; $hash_num++)
   {
if ($attempt == $hash_to_crack[$hash_num])
{
echo("FOUND PASSWORD $pass");
echo("FOR HASH " . ($hash_to_crack[$hash_num]));
echo(PHP_EOL);
   $cracked++;
}
   }
}

TheKoziTwo

legendary

Activity: 1552

Merit: 1047

Aurum is using a forum account that he has either hacked or purchased from the original owner. Just compare his first post in the forum with his current ones. Without looking further into this it seems like Aurum just generated a list of usernames and fake passwords and is trying to make some quick btc by selling air. Nothing to see here.

Razick

legendary

Activity: 1330

Merit: 1003

Quote from: dadaas on August 17, 2014, 11:52:20 PM

Quote from: Aurum on August 15, 2014, 06:51:02 AM

Yes, them use md5, the auroracoin forum use the traditional forum salt that is more hard to decrypt.

but with a good pay decoder with trillion hashes decode it no can be hard.

examples (hashes get from freecoinworld):
30fca77cebf16fe3c5b5b4db4371dee4 - cinta3segi
842df9fecdc99ad5aea6deb7ab117ae0 - me4ta12345

One question, how does anybody crack those codes? Isn't it right that it takes long time to bruteforce those codes? Isn't that the whole point of hashing passwords, to make them practically uncrackable?

The problem is that hash functions are very fast on their own. Modern computers can check millions and sometimes billions per second. For example, although php isn't a good choice, I could break md5 with something like this:

EDIT: As Cortex noted below, the attacker would likely target the database at once making the process much faster, especially if salts aren't used.

Code:

// this is the hash of the password I'm trying to break
$hash_to_crack = '30fca77cebf16fe3c5b5b4db4371dee4';
$found = false;

// until $found is changed to true, keep trying!
while (!$found)
{
   // $this->next_try would be a method designed to supply the next possible password.
   $attempt = md5($this->next_try);

   // compare the next hash to the target hash
   if ($attempt == $hash_to_crack)
   {
   // end the loop when we've found the hash
   $found = true;
   }
}

Quote from: hyperdimension on August 18, 2014, 01:47:34 PM

There's NO way they hacked Bitcoin.de, they need confirmation emails for everything. Unlike this site btw, this site needs confirmation email for everything too, i mean give me a break. How in hell it doesnt?

Having confirmation emails doesn't automatically secure a site against having its database stolen.

hyperdimension

member

Activity: 69

Merit: 10

There's NO way they hacked Bitcoin.de, they need confirmation emails for everything. Unlike this site btw, this site needs confirmation email for everything too, i mean give me a break. How in hell it doesnt?

Fahrradkette

newbie

Activity: 12

Merit: 0

Back to wörk! Grin

dadaas

sr. member

Activity: 490

Merit: 250

Super Smash Bros. Ultimate Available Now!

Quote from: Fahrradkette on August 18, 2014, 11:06:11 AM

I don't know if the other databases are legit, neither do I know that the bitcoin.de-database is (not) legit.

But as far as I know: Bitcoin.de is regulated/inspected by the german Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht(BaFin)). I do think there are many regulations about security and can't think about any way that the passwords are saved plaintext like the thread-author said.

Nuff said.

I love those German words Cheesy

I didn't know that Bitcoin sites are supervised by federal authority but it makes sense because it is Germany and we all know how Germans are.

Topic: Bitcoin sites leaked :( - Big bitcoin members emails database (Read 8159 times)