Pages:
Author

Topic: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) (Read 36721 times)

newbie
Activity: 4
Merit: 0
All games PC,NINTENDO SWTICH,PSN PS3,PS4 All You Can Download Here For Free Direct Link No Virus
https://isofullgame.com
jr. member
Activity: 56
Merit: 1
Srsly. Here, let me illustrate:

OMG! All my horses have escaped! Why is the barn door still open?!?

Bad analogy. Correct analogy: OMG, all my horses have escaped and they had the combination to the safe tattooed on their back. Someone copied those numbers and it's in a few newspapers now. But thank god the barn door is closed and my horses are back inside, now I can sleep well again.

Seriously? Smiley
hero member
Activity: 532
Merit: 500
FIAT LIBERTAS RVAT CAELVM
Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...

Google got the list and got all gmail accounts to reset their password.

Is that confirmed? I had to reset mine, but I just figured my MtGox password was cracked.

http://forum.bitcoin.org/index.php?topic=19641.msg245983#msg245983

Awesome. Google living up to their motto. On a related note, My spam has not increased significantly. I did get the tradehill spam twice, though the second one was filtered. I think I have gotten one that can be directly attributed to the list leak: A financial services offer (Really? Loans by email? who is that dumb?)
legendary
Activity: 1708
Merit: 1020
This information is important.  
I'm just trying to get it out to everyone as quickly as possible.  
Sorry if I'm repeating myself, but there are so many threads on this same topic..  I don't want anyone to miss it.
 
Today at 2pm ET we'll be interviewing LIVE.... the man behind the $5,000,000 trade....
...  The man who bought the Bitcoin at $0.01 each....

Then later this evening, at 10pm ET, we will have Mark Karpeles,  the owner of MtGox...  personally ...  LIVE ... to answer all of your questions in the Chatroom.  

first I thought this was spam. but now that I watch the show... the show is OK but what really is hilarious is the chatroom  Grin
member
Activity: 70
Merit: 10
Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...

Google got the list and got all gmail accounts to reset their password.

Is that confirmed? I had to reset mine, but I just figured my MtGox password was cracked.

http://forum.bitcoin.org/index.php?topic=19641.msg245983#msg245983
hero member
Activity: 532
Merit: 500
FIAT LIBERTAS RVAT CAELVM
Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...

Google got the list and got all gmail accounts to reset their password.

Is that confirmed? I had to reset mine, but I just figured my MtGox password was cracked.
member
Activity: 70
Merit: 10
Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...

Google got the list and got all gmail accounts to reset their password.
newbie
Activity: 16
Merit: 0
Well, went to login to my google account this morning and had to make a new password because of "suspicious activity" trying to access the account I guess...
member
Activity: 70
Merit: 10
Why do you keep the file up? So more hackers can try to crack the password and steal everything? To make our emails more public then they are now?

If hackers want this list, they will find their way to it elsewhere. There's no stopping them with removing the link.

I believe that this shouldn't be kept secret, it is a P2P currency. Tongue

Srsly. Here, let me illustrate:

OMG! All my horses have escaped! Why is the barn door still open?!?

To freshen the air, of course.
hero member
Activity: 532
Merit: 500
FIAT LIBERTAS RVAT CAELVM
Why do you keep the file up? So more hackers can try to crack the password and steal everything? To make our emails more public then they are now?

If hackers want this list, they will find their way to it elsewhere. There's no stopping them with removing the link.

I believe that this shouldn't be kept secret, it is a P2P currency. Tongue

Srsly. Here, let me illustrate:

OMG! All my horses have escaped! Why is the barn door still open?!?
member
Activity: 70
Merit: 10
Why do you keep the file up? So more hackers can try to crack the password and steal everything? To make our emails more public then they are now?

If hackers want this list, they will find their way to it elsewhere. There's no stopping them with removing the link.

I believe that this shouldn't be kept secret, it is a P2P currency. Tongue
newbie
Activity: 62
Merit: 0
I do not know if this is real or fake. However, this is an direct download link that I hosted. Please comment...

http://bit.ly/kE3Q4D

[Edit: Holy shit, this is real. I found my email & password in the CSV. Shit just got real...]

I cant believe that.

This is completely against every privacy consideration that this file is openly distributed.

Honestly, I think it wasn't bad. Now everyone know's exactly how much info the attacter had. And if that database would be any use (except for the emails) any more, then mtgox hasn't doen a complete reset of the passwords.
And if someone used the password on multiple accounts, they get a really good kick in the ass to change them. Before that, you could make yourself believe, that your password doesn't need to be changed.
newbie
Activity: 62
Merit: 0
Well, I'm lucky... I never traded on mtgox AND I used a random password (only for mtgox...)... puh...

Does anyone know how fast such a passoword hash can be broken?
sr. member
Activity: 504
Merit: 250
If you take the time to read my post carefully you will see I've acknowledged that the static part does not improve protection against brute force. It ensures that to even attempt brute force, the attacker must have read access to the source, not just the database. That's a different class of attack, a significant speed-bump for the attacker from a layered security perspective.

No, the attacker does not need the static extra secret.  The brute force attack will reveal it right along with the password.  All it does is make the first two attempts harder, possibly a lot harder.  After that, it has no value.

Maybe 2^128 harder, for a 128 bit static salt ? Therefore making the first two brutefoce attempts practically impossible ? Therefore requiring knowledge of the static salt stored in a source configuration file, in order to crack the hashes in the database ? Yes, that's precisely my point.
full member
Activity: 140
Merit: 101
So has anyone discussed who in the HELL is this auditing company? How did they access Mt. Gox records? Do they have a database of these records off site? WTF?!?!
full member
Activity: 185
Merit: 121
It's amazing how small the market is really, just 60k people. wtf.

You ain't seen nothin' yet brotha. Wait till you see how small it is in a couple of days.  Wink
kjj
legendary
Activity: 1302
Merit: 1026
If you take the time to read my post carefully you will see I've acknowledged that the static part does not improve protection against brute force. It ensures that to even attempt brute force, the attacker must have read access to the source, not just the database. That's a different class of attack, a significant speed-bump for the attacker from a layered security perspective.

No, the attacker does not need the static extra secret.  The brute force attack will reveal it right along with the password.  All it does is make the first two attempts harder, possibly a lot harder.  After that, it has no value.
full member
Activity: 238
Merit: 100
The salted crypt() hashes are more difficult to crack but so far I have found 2706 out of 59236 passwords of the database by just one hour GPU dictionary-based cracking.  It can be safe to assume that the attacker was able to crack similar number and could control thousands of accounts.
sr. member
Activity: 504
Merit: 250
If you take the time to read my post carefully you will see I've acknowledged that the static part does not improve protection against brute force. It ensures that to even attempt brute force, the attacker must have read access to the source, not just the database. That's a different class of attack, a significant speed-bump for the attacker from a layered security perspective.


Edit:
Quote
But, if an attacker can brute force two passwords with static salt, they then know the static salt, and it offers no more protection

This seems to be the source of our quarrel. You seem to imply that the static salt can be inferred without reading the source. For a static salt that has enough entropy (128 bit), that should be impossible. Since this is selected once by the website owner, the condition is easy to meet. For example the MD5 and SHA1 based crypt algorithms can use a salt of any length.
kjj
legendary
Activity: 1302
Merit: 1026
The salt should have a random part per user stored in the database and a static part per site stored in some include file.
The first part prevents massive parallelization, rainbow tables etc.
The second part keeps the password secure when only the database is leaked (ex. a SQL injection that does not escalate to code execution). In the case of MtGox it wouldn't have helped since the read-only account probably had source access too.

Extending this idea, email can be stored using reversible encryption. Thus a simple database leak is not sufficient to compromise all emails, you need local access to the source.

If you think about it for a moment, I'm sure you will see that the static part is nearly useless.  The random part changes the game from "break once, break everywhere" to "break once, break here only".  That is huge.

But, if an attacker can brute force two passwords with static salt, they then know the static salt, and it offers no more protection.  The keyspace for the third attempt will have fallen back to the keyspace of the original password.  That is a mere speedbump compared to the brick wall of the random salt.
Pages:
Jump to: