DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) - page 3.

Quantumplation

sr. member

Activity: 308

Merit: 250

Quote from: Durr on June 19, 2011, 04:30:27 PM

Quote from: RandyMarsh on June 19, 2011, 04:23:06 PM

If they cant get the passwords because they're hashed, then... ummm, how did they do it?

What do you think Bitcoin miners are doing? Cracking hashes.

What do you think the passwords are protected with? Hashes.

So it's easy to crack hashes passwords, takes a few minutes per password, as long as it takes to crack a new Bitcoin block (about 10 minutes) is how long it takes to crack a hashed password.

That's not quite accurate. Miners are tweaking one value in a block of data in order to find any password WITHIN THE DIFFICULTY. Finding a hash that is lower than a set value is far easier than finding a very specific existing password. Essentially, cracking the password would be solving the highest difficulty block possible. (Also, Miners are working on SHA256, much harder to crack than simple MD5...)

JonathanHiggins

member

Activity: 76

Merit: 10

Is it possible to get the list of names etc in alphabetical order?

haydent

full member

Activity: 154

Merit: 100

Quote

[Update - 2:06 GMT] What we know and what is being done.

It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.
We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.
Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.
When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

semarjt

newbie

Activity: 27

Merit: 0

Quote from: Mageant on June 19, 2011, 07:18:30 PM

Isn't it ironic that bitcoin mining is essentially also cracking a hash?

No, because that is not at all what bitcoin mining is.

Samantha2011

newbie

Activity: 14

Merit: 0

Quote from: Batouzo on June 19, 2011, 08:53:53 PM

Quote from: optionstalker on June 19, 2011, 08:31:22 PM

My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

You are using http://howsecureismypassword.net/ and entering your password there?

Let's keep finger crossed the admin of that site is not logging the requests anywhere! Or his hosting, or possible his and your ISP and all ISP in between if this checker is in http instead https. And people able to buy forged SSL certs for MITM attacks even if it is https.

Why would you enter your actual passwords into it anyway? At least use a substitution cipher on your password. And if that enhances the security of your password because it contains dictionary words, you're just an idiot. Tongue

saqwe

sr. member

Activity: 700

Merit: 250

Quote from: NO_SLAVE on June 19, 2011, 05:10:46 PM

Quote from: foo on June 19, 2011, 04:41:09 PM

Incorrect. The amount of time it takes is related to the complexity of the password. "monkey" will be found in seconds, but something like "efweug#%_#Tsafwef24g" will take years.

Wow, glad I changed my password to "efweug#%_#Tsafwef24g" just 2 days ago!

hehe 12390ßqweuio789456 was mine

Nescio

jr. member

Activity: 56

Merit: 1

Yeah that's smart, going to some website to check your password LOL. You can bet your ass some people will have referrers pointing back to here and the site will connect the dots, find the password file, tie hash to entered pass, look up email address in file, hack mail and fish for balance when Mt.Gox comes back.

TurboK

full member

Activity: 136

Merit: 100

Quote from: enmaku on June 19, 2011, 04:47:06 PM

Does anyone with perhaps a hair more experience than myself recognize the format of these hashes? I can recognize base 64 encoded fields with "$" as a delimiter easily enough, but I haven't taken the time to explicitly generate various hashes from my known password, b64 encode them and compare the results. I can do this later today if I've got the time but I'm kind of hoping that someone else already has

The above exercise, if nothing matches, could also prove whether Mt. Gox was actually salting their hashes, which seems doubtful looking at the CSV.

Really though I'm with speeder, let's at least identify enough people and their signup dates in this list to imply some good network growth numbers that we might otherwise not have access to.

Input the salt and the password here and check under md5(unix).
http://www.insidepro.com/hashes.php?lang=eng

the format in the csv is $1$salt$password.

martinw79

member

Activity: 94

Merit: 10

It would take
About 14 sextillion years
for a desktop PC to crack your password

lol, sexy...

Chick

member

Activity: 70

Merit: 10

Quote from: Batouzo on June 19, 2011, 08:53:53 PM

Quote from: optionstalker on June 19, 2011, 08:31:22 PM

My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

You are using http://howsecureismypassword.net/ and entering your password there?

Let's keep finger crossed the admin of that site is not logging the requests anywhere! Or his hosting, or possible his and your ISP and all ISP in between if this checker is in http instead https. And people able to buy forged SSL certs for MITM attacks even if it is https.

Chill, its all server-side. Look at the js.

Batouzo

member

Activity: 70

Merit: 10

Quote from: optionstalker on June 19, 2011, 08:31:22 PM

My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

You are using http://howsecureismypassword.net/ and entering your password there?

Let's keep finger crossed the admin of that site is not logging the requests anywhere! Or his hosting, or possible his and your ISP and all ISP in between if this checker is in http instead https. And people able to buy forged SSL certs for MITM attacks even if it is https.

Chick

member

Activity: 70

Merit: 10

Quote from: scooter on June 19, 2011, 08:37:16 PM

Quote from: optionstalker on June 19, 2011, 08:31:22 PM

My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

Mine says 7 decillion years

Repeated asdf over & over!

About 7 septendecillion years.

scooter

member

Activity: 100

Merit: 10

Quote from: optionstalker on June 19, 2011, 08:31:22 PM

My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

Mine says 7 decillion years

hoo2jalu

member

Activity: 70

Merit: 10

Quote from: kjj on June 19, 2011, 07:54:31 PM

Quote from: ?? on ??

MTGOX BREAKING NEWS

We will do one hour with the TradeHill guys LIVE via Skype.... ... BLAH BLAH BLAH

I'm trying to figure out why you think it is acceptable to keep posting this in every thread. Did you get dropped on your head a lot as a child?

Media whore'ing opportunities like this happen once a lifetim^H^H^Hmonth in bitcoin land! Gotta make every second and eyeball count!

optionstalker

newbie

Activity: 23

Merit: 0

My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

TheBitMan

sr. member

Activity: 280

Merit: 250

Quote from: brybot on June 19, 2011, 08:06:23 PM

Anybody check that csv file for viruses? Or did we just get compromised again?

I don't have excel so opened it in notepad it's clean

myrkul

hero member

Activity: 532

Merit: 500

FIAT LIBERTAS RVAT CAELVM

It's clean data. Just a CSV file. Open in Google docs if you're paranoid.

Edit: Too much Starcraft.

brybot

newbie

Activity: 24

Merit: 0

Anybody check that csv file for viruses? Or did we just get compromised again?

kjj

legendary

Activity: 1302

Merit: 1025

Quote from: ?? on ??

MTGOX BREAKING NEWS

We will do one hour with the TradeHill guys LIVE via Skype.... at 9pm to 10pm ET tonight.

Then, we will do one hour with the MtGox guys LIVE via telephone from Tokyo.... at 10pm to 11pm ET tonight.

Go to http://onlyonetv.com and click the "Watch Live" button now... and join in the Live Chatroom.

See All Time Zones here: http://goo.gl/ZqQRq

I'm trying to figure out why you think it is acceptable to keep posting this in every thread. Did you get dropped on your head a lot as a child?

myrkul

hero member

Activity: 532

Merit: 500

FIAT LIBERTAS RVAT CAELVM

Quote from: grod on June 19, 2011, 07:34:23 PM

No, they are not secure. They're slightly MORE secure, assuming good, long, semi-random password with lots of special characters. Seeing the kinds of passwords a trivial cracking attempt busted I'd say a good portion of the userbase are NOT computer security experts and are NOT picking secure passwords. Those kinds of people are likely to be re-using the passwords elsewhere and are now going to be in a world of hurt thanks to mtgox.

Length and option set trumps entropy and # of special characters.
!....1gOd1....! is more secure than as#^%^*($)! despite being easier to remember, and based on a dictionary word.

Topic: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) - page 3. (Read 36635 times)