All games PC,NINTENDO SWTICH,PSN PS3,PS4 All You Can Download Here For Free Direct Link No Virus
https://isofullgame.com
Topic: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) (Read 36635 times)
February 08, 2023, 10:31:10 PM
June 20, 2011, 11:30:35 PM
Srsly. Here, let me illustrate:
OMG! All my horses have escaped! Why is the barn door still open?!?
OMG! All my horses have escaped! Why is the barn door still open?!?
Bad analogy. Correct analogy: OMG, all my horses have escaped and they had the combination to the safe tattooed on their back. Someone copied those numbers and it's in a few newspapers now. But thank god the barn door is closed and my horses are back inside, now I can sleep well again.
Seriously?
June 20, 2011, 02:35:46 PM
Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...
Google got the list and got all gmail accounts to reset their password.
Is that confirmed? I had to reset mine, but I just figured my MtGox password was cracked.
http://forum.bitcoin.org/index.php?topic=19641.msg245983#msg245983
Awesome. Google living up to their motto. On a related note, My spam has not increased significantly. I did get the tradehill spam twice, though the second one was filtered. I think I have gotten one that can be directly attributed to the list leak: A financial services offer (Really? Loans by email? who is that dumb?)
June 20, 2011, 02:33:04 PM
This information is important.
I'm just trying to get it out to everyone as quickly as possible.
Sorry if I'm repeating myself, but there are so many threads on this same topic.. I don't want anyone to miss it.
Today at 2pm ET we'll be interviewing LIVE.... the man behind the $5,000,000 trade....
... The man who bought the Bitcoin at $0.01 each....
Then later this evening, at 10pm ET, we will have Mark Karpeles, the owner of MtGox... personally ... LIVE ... to answer all of your questions in the Chatroom.
first I thought this was spam. but now that I watch the show... the show is OK but what really is hilarious is the chatroom I'm just trying to get it out to everyone as quickly as possible.
Sorry if I'm repeating myself, but there are so many threads on this same topic.. I don't want anyone to miss it.
Today at 2pm ET we'll be interviewing LIVE.... the man behind the $5,000,000 trade....
... The man who bought the Bitcoin at $0.01 each....
Then later this evening, at 10pm ET, we will have Mark Karpeles, the owner of MtGox... personally ... LIVE ... to answer all of your questions in the Chatroom.
June 20, 2011, 02:15:47 PM
Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...
Google got the list and got all gmail accounts to reset their password.
Is that confirmed? I had to reset mine, but I just figured my MtGox password was cracked.
http://forum.bitcoin.org/index.php?topic=19641.msg245983#msg245983
June 20, 2011, 02:14:52 PM
Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...
Google got the list and got all gmail accounts to reset their password.
Is that confirmed? I had to reset mine, but I just figured my MtGox password was cracked.
June 20, 2011, 02:07:09 PM
Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...
Google got the list and got all gmail accounts to reset their password.
June 20, 2011, 02:05:38 PM
Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...
June 20, 2011, 01:55:54 PM
Why do you keep the file up? So more hackers can try to crack the password and steal everything? To make our emails more public then they are now?
If hackers want this list, they will find their way to it elsewhere. There's no stopping them with removing the link.
I believe that this shouldn't be kept secret, it is a P2P currency.
Srsly. Here, let me illustrate:
OMG! All my horses have escaped! Why is the barn door still open?!?
To freshen the air, of course.
June 20, 2011, 01:54:12 PM
Why do you keep the file up? So more hackers can try to crack the password and steal everything? To make our emails more public then they are now?
If hackers want this list, they will find their way to it elsewhere. There's no stopping them with removing the link.
I believe that this shouldn't be kept secret, it is a P2P currency.
Srsly. Here, let me illustrate:
OMG! All my horses have escaped! Why is the barn door still open?!?
June 20, 2011, 01:48:57 PM
Why do you keep the file up? So more hackers can try to crack the password and steal everything? To make our emails more public then they are now?
If hackers want this list, they will find their way to it elsewhere. There's no stopping them with removing the link.
I believe that this shouldn't be kept secret, it is a P2P currency.
June 20, 2011, 11:34:46 AM
I do not know if this is real or fake. However, this is an direct download link that I hosted. Please comment...
http://bit.ly/kE3Q4D
[Edit: Holy shit, this is real. I found my email & password in the CSV. Shit just got real...]
http://bit.ly/kE3Q4D
[Edit: Holy shit, this is real. I found my email & password in the CSV. Shit just got real...]
I cant believe that.
This is completely against every privacy consideration that this file is openly distributed.
And if someone used the password on multiple accounts, they get a really good kick in the ass to change them. Before that, you could make yourself believe, that your password doesn't need to be changed.
June 20, 2011, 11:26:18 AM
Well, I'm lucky... I never traded on mtgox AND I used a random password (only for mtgox...)... puh...
Does anyone know how fast such a passoword hash can be broken?
Does anyone know how fast such a passoword hash can be broken?
June 20, 2011, 10:16:00 AM
If you take the time to read my post carefully you will see I've acknowledged that the static part does not improve protection against brute force. It ensures that to even attempt brute force, the attacker must have read access to the source, not just the database. That's a different class of attack, a significant speed-bump for the attacker from a layered security perspective.
No, the attacker does not need the static extra secret. The brute force attack will reveal it right along with the password. All it does is make the first two attempts harder, possibly a lot harder. After that, it has no value.
Maybe 2^128 harder, for a 128 bit static salt ? Therefore making the first two brutefoce attempts practically impossible ? Therefore requiring knowledge of the static salt stored in a source configuration file, in order to crack the hashes in the database ? Yes, that's precisely my point.
June 20, 2011, 10:07:22 AM
So has anyone discussed who in the HELL is this auditing company? How did they access Mt. Gox records? Do they have a database of these records off site? WTF?!?!
June 20, 2011, 09:57:44 AM
It's amazing how small the market is really, just 60k people. wtf.
You ain't seen nothin' yet brotha. Wait till you see how small it is in a couple of days.
June 20, 2011, 09:34:28 AM
If you take the time to read my post carefully you will see I've acknowledged that the static part does not improve protection against brute force. It ensures that to even attempt brute force, the attacker must have read access to the source, not just the database. That's a different class of attack, a significant speed-bump for the attacker from a layered security perspective.
No, the attacker does not need the static extra secret. The brute force attack will reveal it right along with the password. All it does is make the first two attempts harder, possibly a lot harder. After that, it has no value.
June 20, 2011, 09:18:52 AM
The salted crypt() hashes are more difficult to crack but so far I have found 2706 out of 59236 passwords of the database by just one hour GPU dictionary-based cracking. It can be safe to assume that the attacker was able to crack similar number and could control thousands of accounts.
June 20, 2011, 09:17:49 AM
If you take the time to read my post carefully you will see I've acknowledged that the static part does not improve protection against brute force. It ensures that to even attempt brute force, the attacker must have read access to the source, not just the database. That's a different class of attack, a significant speed-bump for the attacker from a layered security perspective.
Edit:
This seems to be the source of our quarrel. You seem to imply that the static salt can be inferred without reading the source. For a static salt that has enough entropy (128 bit), that should be impossible. Since this is selected once by the website owner, the condition is easy to meet. For example the MD5 and SHA1 based crypt algorithms can use a salt of any length.
Edit:
Quote
But, if an attacker can brute force two passwords with static salt, they then know the static salt, and it offers no more protection
This seems to be the source of our quarrel. You seem to imply that the static salt can be inferred without reading the source. For a static salt that has enough entropy (128 bit), that should be impossible. Since this is selected once by the website owner, the condition is easy to meet. For example the MD5 and SHA1 based crypt algorithms can use a salt of any length.
June 20, 2011, 09:11:36 AM
The salt should have a random part per user stored in the database and a static part per site stored in some include file.
The first part prevents massive parallelization, rainbow tables etc.
The second part keeps the password secure when only the database is leaked (ex. a SQL injection that does not escalate to code execution). In the case of MtGox it wouldn't have helped since the read-only account probably had source access too.
Extending this idea, email can be stored using reversible encryption. Thus a simple database leak is not sufficient to compromise all emails, you need local access to the source.
The first part prevents massive parallelization, rainbow tables etc.
The second part keeps the password secure when only the database is leaked (ex. a SQL injection that does not escalate to code execution). In the case of MtGox it wouldn't have helped since the read-only account probably had source access too.
Extending this idea, email can be stored using reversible encryption. Thus a simple database leak is not sufficient to compromise all emails, you need local access to the source.
If you think about it for a moment, I'm sure you will see that the static part is nearly useless. The random part changes the game from "break once, break everywhere" to "break once, break here only". That is huge.
But, if an attacker can brute force two passwords with static salt, they then know the static salt, and it offers no more protection. The keyspace for the third attempt will have fallen back to the keyspace of the original password. That is a mere speedbump compared to the brick wall of the random salt.
Jump to: