Topic: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) - page 6. (Read 36635 times)
June 19, 2011, 05:36:00 PM
The good news about this event is that I believe it will lead to a more decentralized exchange setup.
June 19, 2011, 05:28:09 PM
I don't know I'd be more likely to trust mtgox after this. At least there problems are now known and will be fixed, who knows what the vulnerabilities of the other trade sites are? The only thing that annoys me about this is it publicizes everyone's email addys. Although once upon a time I made a blog from scratch, and I made better PW security than mtgox has, now that is sad.
June 19, 2011, 05:25:25 PM
These fucking clowns should have stuck to selling magic the gathering cards.
true that
June 19, 2011, 05:23:37 PM
These fucking clowns should have stuck to selling magic the gathering cards.
June 19, 2011, 05:18:06 PM
There is a good number of us (meaning good, honest bitcoin users and supporters) that have been reporting that we had BTC stolen for a while now, but they kept denying our claims and blaming us.
I sincerely hope they plan on reimbursing us (I mean come on, its only 20.19 BTC in my case)
I sincerely hope they plan on reimbursing us (I mean come on, its only 20.19 BTC in my case)
June 19, 2011, 05:16:25 PM
Stopped trading on Empty Gox two weeks ago due to the increasing reports of compromised accounts. I certainly can't see myself going back to trusting Magical Tux' PHP skills with my money after this.
June 19, 2011, 05:14:53 PM
Interesting to note the malformed records which suggest SQL injection attacks of such simplicity, that an 8 year old 4channer with an automated pentest program could get in. I have only once traded using mtgox, but I'm seriously ticked off right now. I'm seriously angry that MtGox was trusted with so many people's money, was so central to bitcoin itself. As a fellow PHP developer I feel ashamed that people like MtGox bring the rest of us down, making us look like 14 year old script kiddies. I'm ashamed that they have not learned the rudimentary techniques that would be the first lesson in how to successfully secure any website. I'm astounded that a website trading 30 million dollars of value every month is less secure than a web game I built when I was 15.
In particular, see these rows (pasted from OpenOfficed CSV so it's turned into tab separation (I will add to this as I find more):
In particular, see these rows (pasted from OpenOfficed CSV so it's turned into tab separation (I will add to this as I find more):
| 12558 | hehehe\' | 0 | 0 | 0)waitfor delay\'0: | $1$ldybUNj/$jZ5XJRWM8DsOTM3FU9TyN0 |
| 12557 | hehehe\' | 0 | 0)waitfor delay\'0:0: | $1$TVk6yuVk$IKj5636wmFDwul0J2mtw8. | |
| 30306 | yui9 | &^&% | $1$tRf6y.pr$EWaJXMzwRfyXvq5zI3.y.. |
June 19, 2011, 05:12:11 PM
Nice one, its legit! 
im surprised. Gotta give it to them, btw where did the OP find this? google?
im surprised. Gotta give it to them, btw where did the OP find this? google? 
June 19, 2011, 05:11:12 PM
wow. Talk about fucked. I second the previous notion of "glad im broke".
June 19, 2011, 05:10:46 PM
Incorrect. The amount of time it takes is related to the complexity of the password. "monkey" will be found in seconds, but something like "efweug#%_#Tsafwef24g" will take years.
Wow, glad I changed my password to "efweug#%_#Tsafwef24g" just 2 days ago!
June 19, 2011, 05:04:07 PM
I am curious, how did they get that DB in the first place?
+1
SQL Injection.
Sanitize your inputs, kiddies!
June 19, 2011, 04:56:19 PM
I am curious, how did they get that DB in the first place?
+1
June 19, 2011, 04:55:49 PM
This is really bad... I cracked a few passwords using JohnTheRipper...
I have never been so glad to be broke.
June 19, 2011, 04:51:06 PM
If they cant get the passwords because they're hashed, then... ummm, how did they do it?
So it's easy to crack hashes passwords, takes a few minutes per passwordWhich is why we salt passwords before hashing them. It might take seconds to find "monkey" but it'll take ages to find "monkeyefweug#%_#Tsafwef24g" and the user doesn't have to remember that second part. Really if the database is compromised the salt is in there with the hash so it doesn't help much but it DOES at least make it so that two people using the same password won't both be compromised by simply compromising one of them. It also makes "rainbow tables" (giant tables of common passwords and what they hash to) ineffective.
June 19, 2011, 04:49:13 PM
If they cant get the passwords because they're hashed, then... ummm, how did they do it?
What do you think Bitcoin miners are doing? Cracking hashes.
What do you think the passwords are protected with? Hashes.
So it's easy to crack hashes passwords, takes a few minutes per password, as long as it takes to crack a new Bitcoin block (about 10 minutes) is how long it takes to crack a hashed password.
thats bullshit you ass. miners are bruteforcing to attempt to come up with a number below the target hash. hashes are unbreakable and cannot be reconstructed back into the original password.
June 19, 2011, 04:48:36 PM
I am around 4k!
And I joined in april
Now can someone take that data and calculate how fast bitcoin is growing? (common, let's at least make something useful with the data :/ like, seeing the good side of bad things)
And I joined in april
Now can someone take that data and calculate how fast bitcoin is growing? (common, let's at least make something useful with the data :/ like, seeing the good side of bad things)
This.
Also, it's pretty scary to see my username, email address and password hash in the big list too but there are still a few questions that remain.
Does anyone with perhaps a hair more experience than myself recognize the format of these hashes? I can recognize base 64 encoded fields with "$" as a delimiter easily enough, but I haven't taken the time to explicitly generate various hashes from my known password, b64 encode them and compare the results. I can do this later today if I've got the time but I'm kind of hoping that someone else already has
The above exercise, if nothing matches, could also prove whether Mt. Gox was actually salting their hashes, which seems doubtful looking at the CSV.
Really though I'm with speeder, let's at least identify enough people and their signup dates in this list to imply some good network growth numbers that we might otherwise not have access to.
This is really bad... I cracked a few passwords using JohnTheRipper...
June 19, 2011, 04:48:14 PM
PHP crypt, CRYPT_MD5: http://php.net/crypt
June 19, 2011, 04:47:06 PM
I am around 4k!
And I joined in april
Now can someone take that data and calculate how fast bitcoin is growing? (common, let's at least make something useful with the data :/ like, seeing the good side of bad things)
And I joined in april
Now can someone take that data and calculate how fast bitcoin is growing? (common, let's at least make something useful with the data :/ like, seeing the good side of bad things)
This.
Also, it's pretty scary to see my username, email address and password hash in the big list too but there are still a few questions that remain.
Does anyone with perhaps a hair more experience than myself recognize the format of these hashes? I can recognize base 64 encoded fields with "$" as a delimiter easily enough, but I haven't taken the time to explicitly generate various hashes from my known password, b64 encode them and compare the results. I can do this later today if I've got the time but I'm kind of hoping that someone else already has
The above exercise, if nothing matches, could also prove whether Mt. Gox was actually salting their hashes, which seems doubtful looking at the CSV.
Really though I'm with speeder, let's at least identify enough people and their signup dates in this list to imply some good network growth numbers that we might otherwise not have access to.
June 19, 2011, 04:44:26 PM
I hope you guys are interested in buying Viagra and increasing the size of your penis.
If we can pay with bitcoins
June 19, 2011, 04:43:23 PM
I do not know if this is real or fake. However, this is an direct download link that I hosted. Please comment...
http://bit.ly/kE3Q4D
[Edit: Holy shit, this is real. I found my email & password in the CSV. Shit just got real...]
http://bit.ly/kE3Q4D
[Edit: Holy shit, this is real. I found my email & password in the CSV. Shit just got real...]
I cant believe that.
This is completely against every privacy consideration that this file is openly distributed.
This is already out there. Torrent sites, rapidshare, etc. There is nothing we can do.
Jump to: