Pages:
Author

Topic: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) - page 6. (Read 36721 times)

full member
Activity: 196
Merit: 100
The good news about this event is that I believe it will lead to a more decentralized exchange setup.
full member
Activity: 126
Merit: 100
I don't know I'd be more likely to trust mtgox after this.  At least there problems are now known and will be fixed, who knows what the vulnerabilities of the other trade sites are?  The only thing that annoys me about this is it publicizes everyone's email addys.  Although once upon a time I made a blog from scratch, and I made better PW security than mtgox has, now that is sad.
newbie
Activity: 28
Merit: 0
These fucking clowns should have stuck to selling magic the gathering cards.

true that Cheesy
full member
Activity: 210
Merit: 100
These fucking clowns should have stuck to selling magic the gathering cards.
full member
Activity: 238
Merit: 100
There is a good number of us (meaning good, honest bitcoin users and supporters) that have been reporting that we had BTC stolen for a while now, but they kept denying our claims and blaming us.

I sincerely hope they plan on reimbursing us (I mean come on,  its only 20.19 BTC in my case)

full member
Activity: 185
Merit: 100
Stopped trading on Empty Gox two weeks ago due to the increasing reports of compromised accounts. I certainly can't see myself going back to trusting Magical Tux' PHP skills with my money after this.
hero member
Activity: 630
Merit: 500
Interesting to note the malformed records which suggest SQL injection attacks of such simplicity, that an 8 year old 4channer with an automated pentest program could get in. I have only once traded using mtgox, but I'm seriously ticked off right now. I'm seriously angry that MtGox was trusted with so many people's money, was so central to bitcoin itself. As a fellow PHP developer I feel ashamed that people like MtGox bring the rest of us down, making us look like 14 year old script kiddies. I'm ashamed that they have not learned the rudimentary techniques that would be the first lesson in how to successfully secure any website. I'm astounded that a website trading 30 million dollars of value every month is less secure than a web game I built when I was 15.

In particular, see these rows (pasted from OpenOfficed CSV so it's turned into tab separation (I will add to this as I find more):



12558hehehe\'000)waitfor delay\'0:$1$ldybUNj/$jZ5XJRWM8DsOTM3FU9TyN0
12557hehehe\'00)waitfor delay\'0:0:$1$TVk6yuVk$IKj5636wmFDwul0J2mtw8.
30306yui9&^&%$1$tRf6y.pr$EWaJXMzwRfyXvq5zI3.y..
sr. member
Activity: 254
Merit: 250
https://www.soar.earth/
Nice one, its legit! Smiley im surprised. Gotta give it to them, btw where did the OP find this? google? Cheesy
sr. member
Activity: 322
Merit: 252
wow.  Talk about fucked.  I second the previous notion of "glad im broke".
newbie
Activity: 56
Merit: 0

Incorrect. The amount of time it takes is related to the complexity of the password. "monkey" will be found in seconds, but something like "efweug#%_#Tsafwef24g" will take years.

Wow, glad I changed my password to "efweug#%_#Tsafwef24g" just 2 days ago!
hero member
Activity: 532
Merit: 500
FIAT LIBERTAS RVAT CAELVM

I am curious, how did they get that DB in the first place?

+1


Turns out:
SQL Injection.

Sanitize your inputs, kiddies!
hero member
Activity: 566
Merit: 500
Unselfish actions pay back better

I am curious, how did they get that DB in the first place?

+1

hero member
Activity: 532
Merit: 500
FIAT LIBERTAS RVAT CAELVM
This is really bad... I cracked a few passwords using JohnTheRipper...

I have never been so glad to be broke.
hero member
Activity: 742
Merit: 500
If they cant get the passwords because they're hashed, then... ummm, how did they do it?
So it's easy to crack hashes passwords, takes a few minutes per password
Incorrect. The amount of time it takes is related to the complexity of the password. "monkey" will be found in seconds, but something like "efweug#%_#Tsafwef24g" will take years.

Which is why we salt passwords before hashing them. It might take seconds to find "monkey" but it'll take ages to find "monkeyefweug#%_#Tsafwef24g" and the user doesn't have to remember that second part. Really if the database is compromised the salt is in there with the hash so it doesn't help much but it DOES at least make it so that two people using the same password won't both be compromised by simply compromising one of them. It also makes "rainbow tables" (giant tables of common passwords and what they hash to) ineffective.
legendary
Activity: 1764
Merit: 1002
If they cant get the passwords because they're hashed, then... ummm, how did they do it?

What do you think Bitcoin miners are doing? Cracking hashes.

What do you think the passwords are protected with? Hashes.

So it's easy to crack hashes passwords, takes a few minutes per password, as long as it takes to crack a new Bitcoin block (about 10 minutes) is how long it takes to crack a hashed password.

thats bullshit you ass.  miners are bruteforcing to attempt to come up with a number below the target hash.  hashes are unbreakable and cannot be reconstructed back into the original password.
member
Activity: 70
Merit: 10
I am around 4k!

And I joined in april


Now can someone take that data and calculate how fast bitcoin is growing? (common, let's at least make something useful with the data :/ like, seeing the good side of bad things)

This.

Also, it's pretty scary to see my username, email address and password hash in the big list too but there are still a few questions that remain.

Does anyone with perhaps a hair more experience than myself recognize the format of these hashes? I can recognize base 64 encoded fields with "$" as a delimiter easily enough, but I haven't taken the time to explicitly generate various hashes from my known password, b64 encode them and compare the results. I can do this later today if I've got the time but I'm kind of hoping that someone else already has Smiley

The above exercise, if nothing matches, could also prove whether Mt. Gox was actually salting their hashes, which seems doubtful looking at the CSV.

Really though I'm with speeder, let's at least identify enough people and their signup dates in this list to imply some good network growth numbers that we might otherwise not have access to.

This is really bad... I cracked a few passwords using JohnTheRipper...
member
Activity: 112
Merit: 10
Firstbits: 1yetiax
hero member
Activity: 742
Merit: 500
I am around 4k!

And I joined in april


Now can someone take that data and calculate how fast bitcoin is growing? (common, let's at least make something useful with the data :/ like, seeing the good side of bad things)

This.

Also, it's pretty scary to see my username, email address and password hash in the big list too but there are still a few questions that remain.

Does anyone with perhaps a hair more experience than myself recognize the format of these hashes? I can recognize base 64 encoded fields with "$" as a delimiter easily enough, but I haven't taken the time to explicitly generate various hashes from my known password, b64 encode them and compare the results. I can do this later today if I've got the time but I'm kind of hoping that someone else already has Smiley

The above exercise, if nothing matches, could also prove whether Mt. Gox was actually salting their hashes, which seems doubtful looking at the CSV.

Really though I'm with speeder, let's at least identify enough people and their signup dates in this list to imply some good network growth numbers that we might otherwise not have access to.
legendary
Activity: 1658
Merit: 1001
I hope you guys are interested in buying Viagra and increasing the size of your penis.

If we can pay with bitcoins Wink
member
Activity: 70
Merit: 10
I do not know if this is real or fake. However, this is an direct download link that I hosted. Please comment...

http://bit.ly/kE3Q4D

[Edit: Holy shit, this is real. I found my email & password in the CSV. Shit just got real...]

I cant believe that.

This is completely against every privacy consideration that this file is openly distributed.


This is already out there. Torrent sites, rapidshare, etc. There is nothing we can do.
Pages:
Jump to: