Author

Topic: FBI has your BTC-e password hash and 2FA codes! (Read 931 times)

jr. member
Activity: 32
Merit: 1
I suppose the attacker will use dictionary attack first.

This is why you should use random passwords like

Code:
fxjStLbiClmqlrEHbFOd5CGH07AmZkVk5tvjVPB2SfK2ukVNToAS8VP8G6bOx

or

Code:
,dtS7?{$a
And not words like

Code:
correct horse battery staple

Those with random passwords are relatively more secure.

The three-letter-agencies have access to your public cryptocurrency addresses.
legendary
Activity: 1612
Merit: 1608
精神分析的爸
and here is a challenge:
this is the sha1 hash of my bitcointalk password, have fun hacking my Hero Member account:

*snip*

Not quoting, coz if this checksum is not salted it might have been a very bad idea to post it.

first of all its just an account Smiley
secondly the point is you can NOT reverse it to find my real password which is long and hard AF!
this is the crappy old SHA1 we are talking about.


That's certainly a good thinking that it's only a bloody account at the end.
However I was not suggesting that SHA1 is reversable/breakable now, but hinting you that there are huge rainbow tables out there that could already contain your SHA1 hash posted above (especially, if not salted).
sr. member
Activity: 327
Merit: 250
I didn't had 2FA enabled with my BTC-e account. And the password was also unique. So it seems like I don't need to worry about it. Even if the FBI is having my password and my email ID, what they are going to do with it?
If you were not holding any coins in the exchange then there is nothing to worry about it, i am not sure how secure the site was and since they are an exchange i am pretty sure they might have done a good job to secure the database,so even if they had the database it is not that easy to crack those passwords.
legendary
Activity: 1204
Merit: 1028
FBI can use this hash to find out your password and crack your account at another exchanges and websites!

Also they have your e-mail address. You may consider changing it or securing it!They may try to crack it!

Do not reuse your password!

If BTC-e become operational again you have some chance to withdraw funds before FBI to crack the new BTC-e website!


Source?

I think its not possible since passwords cant really be crack easily i strongly believe on that no matter what information that they do have. I doubt that BTC-e wont comeback even if they are already giving some words that they would make a refund on this september. If they would really made those promise come true then i would really be amazed for a certain exchanged has fallen then comesback again.

Even if it was not official, you have to assume that the FBI got your email and password, and now who knows what they will do with it.

Im always scared to use exchanges in general because I don't know who is running it, I don't know what the owners will do with my data, I don't know if they will sell my ID, or if they will get hacked and they will try to dox you etc.. that is why I try to remain anonymous when dealing with exchanges. It's safe to assume everyone you deal with in the bitcoin world and in general on the internet is a scammer by default, so take the appropriate measures to not lose your money and privacy.
member
Activity: 98
Merit: 10
FBI can use this hash to find out your password and crack your account at another exchanges and websites!

Also they have your e-mail address. You may consider changing it or securing it!They may try to crack it!

Do not reuse your password!

If BTC-e become operational again you have some chance to withdraw funds before FBI to crack the new BTC-e website!



The FBI could easily hack into anything it wants at any time. The NSA actually has the power the hack the president, let alone the general public... Google it if you don't believe me!
legendary
Activity: 883
Merit: 1005
The US government has the largest and most power fullest password cracking hardware in the world. If they have your Hash and the 2fa codes then they can crack your password in a matter of minutes.
legendary
Activity: 1456
Merit: 1001
This is the land of wolves now & you're not a wolf
This is definitely not good news if it is 100% true.   I always expected BTC-E would have some problems at some point, because they always seemed to be operating in the shadows.  No one really knew who ran the site...support was sometimes good, sometimes sketchy.

I used to use it to trade between bitcoin and litecoin and back again, but I never kept coins on the site for any length of time.   My buddy bought like 1000 LTC when it was at like $25 a few years ago, and I kept telling him to get the coins off of there every day.   Luckily he finally listened a month prior to this whole fiasco taking place. 
sr. member
Activity: 1988
Merit: 453
I didn't had 2FA enabled with my BTC-e account. And the password was also unique. So it seems like I don't need to worry about it. Even if the FBI is having my password and my email ID, what they are going to do with it?
legendary
Activity: 2114
Merit: 1293
There is trouble abrewing
and here is a challenge:
this is the sha1 hash of my bitcointalk password, have fun hacking my Hero Member account:

*snip*

Not quoting, coz if this checksum is not salted it might have been a very bad idea to post it.

first of all its just an account Smiley
secondly the point is you can NOT reverse it to find my real password which is long and hard AF!
this is the crappy old SHA1 we are talking about.

a password hash is not as easily broken as you may think. it is called an irreversible hash function for a reason!
this means if btc-e used a proper way to save the password and hashed them properly using salt,... then it is impossible to crack them.

In reality decrypting a large SHA-1 hash is nearly impossible. But since SHA-1 maps several byte sequences to one, you can't "decrypt" a hash, but in theory you can find collisions: strings that have the same hash. IMHO.

collision is no longer "in theory" google already successfully produces a collision with SHA1 and it took them about 2^63.1 SHA1 evaluations and it is about 110 years of single GPU calculation.
but it has nothing to do with "reversing and finding the password" someone with that much computation power can only reproduce the same hash as my original password have fun holding the same hash for another string for no reason Cheesy
full member
Activity: 2520
Merit: 214
Eloncoin.org - Mars, here we come!
a password hash is not as easily broken as you may think. it is called an irreversible hash function for a reason!
this means if btc-e used a proper way to save the password and hashed them properly using salt,... then it is impossible to crack them.

In reality decrypting a large SHA-1 hash is nearly impossible. But since SHA-1 maps several byte sequences to one, you can't "decrypt" a hash, but in theory you can find collisions: strings that have the same hash. IMHO.

legendary
Activity: 1612
Merit: 1608
精神分析的爸
and here is a challenge:
this is the sha1 hash of my bitcointalk password, have fun hacking my Hero Member account:

*snip*

Not quoting, coz if this checksum is not salted it might have been a very bad idea to post it.
legendary
Activity: 2114
Merit: 1293
There is trouble abrewing
The salt is also on the database. And it's trivial to crack such passwords, because they are hashed with a weak hash function (because it is not practical to waste the CPU power of the server).

ok, i am no expert here but there is no way you can reverse a hash result, and hash of the passwords are saved on the server, when you log in the system hashes your input and checks the two hashes against each other if it is the same you can log in if not it says "wrong password".

that is why in recovery they reset your password they can never tell you what it was.

and here is a challenge:
this is the sha1 hash of my bitcointalk password, have fun hacking my Hero Member account:

Code:
83c3f71b00dc91a9a4864ccdbbe54213eddf548f
jr. member
Activity: 32
Merit: 1
The salt is also on the database. And it's trivial to crack such passwords, because they are hashed with a weak hash function (because it is not practical to waste the CPU power of the server).
legendary
Activity: 2114
Merit: 1293
There is trouble abrewing
a password hash is not as easily broken as you may think. it is called an irreversible hash function for a reason!
this means if btc-e used a proper way to save the password and hashed them properly using salt,... then it is impossible to crack them.
jr. member
Activity: 32
Merit: 1
FBI seized the server with the database. The password hashes and the 2FA codes are recorded there.

It will be very hard for BTC-e to verify that genuine users are trying to access their account, not FBI/NSA or other 3 letter American agency.

Maybe they will send verification codes to the e-mail, ask for cryptographic proof about user's addressees, etc.

Only genuine user can create signed message with his private key corresponding to the public key where the user is sending/receiving coins.
legendary
Activity: 2436
Merit: 1187
even it not true the paswords mustn't to be same
member
Activity: 86
Merit: 10
Whatever it was, i've got the keys of my main wallet in "cold storage", so i don't even think of a possability of crack.
sr. member
Activity: 2226
Merit: 347
FBI can use this hash to find out your password and crack your account at another exchanges and websites!

Also they have your e-mail address. You may consider changing it or securing it!They may try to crack it!

Do not reuse your password!

If BTC-e become operational again you have some chance to withdraw funds before FBI to crack the new BTC-e website!


Source?

I think its not possible since passwords cant really be crack easily i strongly believe on that no matter what information that they do have. I doubt that BTC-e wont comeback even if they are already giving some words that they would make a refund on this september. If they would really made those promise come true then i would really be amazed for a certain exchanged has fallen then comesback again.
jr. member
Activity: 32
Merit: 1
FBI can use this hash to find out your password and crack your account at another exchanges and websites!

Also they have your e-mail address. You may consider changing it or securing it!They may try to crack it!

Do not reuse your password!

If BTC-e become operational again you have some chance to withdraw funds before FBI to crack the new BTC-e website!

Jump to: