DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) - page 4.

kjj

legendary

Activity: 1302

Merit: 1026

Quote from: grod on June 19, 2011, 06:34:23 PM

Quote from: kjj on June 19, 2011, 05:40:48 PM

I should point out that the site made a change to improve password security at least several months ago. Any passwords set after that time are secure.

Their biggest fault was not forcing users to update their passwords at that time.

No, they are not secure. They're slightly MORE secure, assuming good, long, semi-random password with lots of special characters. Seeing the kinds of passwords a trivial cracking attempt busted I'd say a good portion of the userbase are NOT computer security experts and are NOT picking secure passwords. Those kinds of people are likely to be re-using the passwords elsewhere and are now going to be in a world of hurt thanks to mtgox.

Even a fairly weak password will take a while to find. And you don't know in advance which passwords are weak, so you have to try them all, or try them one at a time. This is bad, but not the end of the world.

Those passwords that have already been cracked were cracked because they were unsalted, which meant they could be stored in a database for lookup. The rest are salted, and there is no shortcut to them. The attacker actually has to calculate 1001 MD5 hashes using both the salt, and their current guess. And unsuccessful guesses are wasted, they do not help on the next guess or the next account.

scooter

member

Activity: 100

Merit: 10

Quote from: EpicFail on June 19, 2011, 05:56:47 PM

Can someone try to crack user 16139 please?

I would like to know how strong the password is. I believe it is pretty strong but I could be wrong.

If you have linux install john the ripper.
You can brute force your hash, or you can load rainbow tables and try that.

When the gawker.com database got hacked I tried my hash for fun to see how long it would take.
Less than 2 hours with 4 cpu cores brute force on an 8 character pass.

Luckily i never use the same password twice so it didnt cause a problem for me.

phelix

legendary

Activity: 1708

Merit: 1020

Quote from: pete248 on June 19, 2011, 05:54:13 PM

Does anyone know where i can find a program that encrypts a string using the same method as Mt. Gox did? I genuinely cant remember what password i used on Mt Gox (never actually traded on it) but i know its one of several i can remember, so i want to do trial and error to check which one it is Tongue

thanks.

on this site you can create your md5 hash if you are not sure which pw you used or just want to check if it is in there:

http://www.insidepro.com/hashes.php?lang=eng

old hash as in first 3000 users or so on the list:
just enter your password and look at the topmost box next to "MD5"

newer hash starting with $1$:
enter password and salt. you will find your hash at "MD5(Unix)"

salt is between the second and the third $ character:
$1$/gKxns/A$42b18btDR4VVUJR8hOEqW0

hash goes after the third $ character:
$1$/gKxns/A$42b18btDR4VVUJR8hOEqW0

I am in not affiliated in any way with the site and can not tell if they are trustworthy. So only check if your password is weak or you have changed it everywhere else.

grod

full member

Activity: 154

Merit: 100

Quote from: kjj on June 19, 2011, 05:40:48 PM

I should point out that the site made a change to improve password security at least several months ago. Any passwords set after that time are secure.

Their biggest fault was not forcing users to update their passwords at that time.

No, they are not secure. They're slightly MORE secure, assuming good, long, semi-random password with lots of special characters. Seeing the kinds of passwords a trivial cracking attempt busted I'd say a good portion of the userbase are NOT computer security experts and are NOT picking secure passwords. Those kinds of people are likely to be re-using the passwords elsewhere and are now going to be in a world of hurt thanks to mtgox.

BenD

newbie

Activity: 20

Merit: 0

Quote from: PGPpfKkx on June 19, 2011, 05:38:20 PM

i changed my pass also yesterday, can someone confirm the hack date???

I changed my password on June 18th, 0:42 am (GMT+1, summertime - it is 1:30 am when I post this). The hash in the csv represents my new password.

Edit: Oh sorry, this is of course not yesterday.

BubbleBoy

sr. member

Activity: 504

Merit: 250

Quote

Almost every person in this forum has the necessary hardware to get crackin.

It seems it's the most profitable way to "mine", at least for this evening

bullox

full member

Activity: 131

Merit: 100

Quote from: Mageant on June 19, 2011, 06:18:30 PM

Isn't it ironic that bitcoin mining is essentially also cracking a hash?

Very. Almost every person in this forum has the necessary hardware to get crackin.

Mageant

legendary

Activity: 1145

Merit: 1001

Isn't it ironic that bitcoin mining is essentially also cracking a hash?

BubbleBoy

sr. member

Activity: 504

Merit: 250

Quote from: kjj on June 19, 2011, 05:40:48 PM

I should point out that the site made a change to improve password security at least several months ago. Any passwords set after that time are secure.

Their biggest fault was not forcing users to update their passwords at that time.

The passwords before ID 3000 that were not changed are plain md5 hashes. Almost all are easily cracked. Example:
id: 642
name: shlax
hash: de434a6e3a01de06657454e07349535c
password: pretorian

The ones starting with $ are MD5 crypt passwords. The 1000 MD5 iterations add about 10 bits of apparent entropy, and the salts prevent parallelisation. If they are good, such passwords survive, but any less than 10 character alphanumeric password is in danger. Any all numeric under 20 digits, and all single case under 15 letters may be also in danger. If it's a dictionary word, forget it.

IMO there's no way to reopen MtGox without forcibly resetting the password on email and/or require proof of ID, coupled with a few weeks frozen accounts in which those who can't access the accounts can complain to support.

kjj

legendary

Activity: 1302

Merit: 1026

If you have PHP, try this on the command line:

Code:

php -r 'echo crypt("PASSWORD","$1$SALT_FROM_FILE$")."\n";'

There is a similar way to do it in PERL, but I don't know it off the top of my head.

Also, I found an online thingie. http://crypt.php-functions.com/. Please note that I didn't test this with my password, because I don't trust it, but if you do trust it, the syntax is:

Code:

echo crypt("PASSWORD","$1$SALT_FROM_FILE$")

Oh, and account 16139 is probably fine. There are no services that can crack your password short of a brute force attempt. How long the brute force takes will depend on the length and complexity of your password. A short password, or one that is in a dictionary, or similar to a dictionary word, will be fairly easy.

Stephe

newbie

Activity: 7

Merit: 0

Quote from: pete248 on June 19, 2011, 05:54:13 PM

Does anyone know where i can find a program that encrypts a string using the same method as Mt. Gox did? I genuinely cant remember what password i used on Mt Gox (never actually traded on it) but i know its one of several i can remember, so i want to do trial and error to check which one it is Tongue

thanks.

echo crypt("yourpassword", "$1$"."hash"."$".md5("yourpassword"));
?>

EpicFail

member

Activity: 94

Merit: 10

Can someone try to crack user 16139 please?

I would like to know how strong the password is. I believe it is pretty strong but I could be wrong.

pete248

newbie

Activity: 12

Merit: 0

Does anyone know where i can find a program that encrypts a string using the same method as Mt. Gox did? I genuinely cant remember what password i used on Mt Gox (never actually traded on it) but i know its one of several i can remember, so i want to do trial and error to check which one it is Tongue

thanks.

kjj

legendary

Activity: 1302

Merit: 1026

Quote from: myrkul on June 19, 2011, 05:45:43 PM

Quote from: kjj on June 19, 2011, 05:40:48 PM

at least several months ago.

Need a date, man... That's way too vague.

I don't know. I'm just going off the data I have (that everyone has by now).

The newest account that I've found with an old-style hash was #3045. I signed up about a month ago, and my number is near #10,000. Since 50,000 of the 60,000 accounts were from the last month, I feel pretty safe saying that the change was more than a month before I signed up. Closer to that, I can't say.

But it is trivial for anyone to find their own name in the file and check the password hash listed. Starts with $, probably safe, but think about changing it anyway. Doesn't start with $, change it now, and change it in every place that you've ever used that password, or one similar to it.

Chick

member

Activity: 70

Merit: 10

Quote from: F104 on June 19, 2011, 05:43:19 PM

I am not as computer literate as most of you. I have some dumb questions. Please be patient with me.

1. Is the *only* data that has been lost the user names, email and hashed password? Is there any way these people can get at my wallet? (I had nothing at Mt. Gox so I have no worries about that)

2. Can they get at the account from which I sent money to Mt Gox?

3. How could this have happened? I expected a person handling this kind of money would be secured like my bank website. On the other hand, why did everyone trust him?

4. Is Mt. Gox giving any accountability such as taking steps to secure what information has not been lost yet?

5. Luckily I used my Mt Gox password only there. What steps should I take to secure other data I have?

thanks

1. This is the only data that we know of that was leaked. No, there is no possible way they can get to your wallet unless they got into your computer via a remote connection using your password.

2. If you used the same password, yes.

3. Most likely SQL injection, I'm surprised that in 2011 people are still not using prepared statements for querying the database. Because it is the most popular? Didn't have any problems for a long time.

4. Most likely.

5. If you used the same passwords as the one as Mt. Gox, change it.

phelix

legendary

Activity: 1708

Merit: 1020

comes in handy: look up where you used your compromised password in the firefox saved passwords list Grin

http://www.howtogeek.com/howto/ubuntu/find-a-forgotten-password-saved-in-firefox/

myrkul

hero member

Activity: 532

Merit: 500

FIAT LIBERTAS RVAT CAELVM

Quote from: kjj on June 19, 2011, 05:40:48 PM

at least several months ago.

Need a date, man... That's way too vague.

F104

newbie

Activity: 26

Merit: 0

I am not as computer literate as most of you. I have some dumb questions. Please be patient with me.

1. Is the *only* data that has been lost the user names, email and hashed password? Is there any way these people can get at my wallet? (I had nothing at Mt. Gox so I have no worries about that)

2. Can they get at the account from which I sent money to Mt Gox?

3. How could this have happened? I expected a person handling this kind of money would be secured like my bank website. On the other hand, why did everyone trust him?

4. Is Mt. Gox giving any accountability such as taking steps to secure what information has not been lost yet?

5. Luckily I used my Mt Gox password only there. What steps should I take to secure other data I have?

thanks

kjj

legendary

Activity: 1302

Merit: 1026

I should point out that the site made a change to improve password security at least several months ago. Any passwords set after that time are secure.

Their biggest fault was not forcing users to update their passwords at that time.

PGPpfKkx

hero member

Activity: 586

Merit: 501

i changed my pass also yesterday, can someone confirm the hack date???

Topic: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) - page 4. (Read 36695 times)