To clarify, they're selling SHA256 passwords? Hashed passwords! There is great difficulty in converting several hundred thousand of these in one go and highly trusted members may change passwords often so little money can be gotton from this.
yeah to be honest it would be really hard to get the passwords then i think we are safe but we most probably should change passwords 
Topic: Hacked BitcoinTalk Data Finally Surfaces On Dark Net - page 3. (Read 2849 times)
I am not worried as my account is created in beginning of February but anyway my email is secured with 2FA and everywhere where is possible in my online accounts I always add 2FA.
If the users feel worried about their accounts they can always change the password of the account, change the password of the email, add a security question here (which I honestly cannot understand why is not recommended when you do it in a right way, add it on a PC you know its super safe) and the problem is solved. I guess that Doubleflag will not get the bitcoin he is asking.
If the users feel worried about their accounts they can always change the password of the account, change the password of the email, add a security question here (which I honestly cannot understand why is not recommended when you do it in a right way, add it on a PC you know its super safe) and the problem is solved. I guess that Doubleflag will not get the bitcoin he is asking.
This just out in the news. What are the implications of this as a regular user of BCT? Should we be worried about this?
http://themerkle.com/hacked-bitcointalk-user-data-finally-surfaces-on-dark-net/
"Just a few days ago, the data stolen from the BitcoinTalk.org hack in 2015 was posted for sale on dark net. A hacker going by DoubleFlag, is selling BitcoinTalk.org’s database. The same hacker is said to be responsible for the 68 million emails and hashed passwords from Dropbox that went for sale on dark net not too long ago.
BitcoinTalk.org was originally hacked in May of 2015, but the data wasn’t posted until a few days ago. DoubleFlag seems to have been the first one able to get his hands on it, and no one after him for that matter. The stolen data was only accessible by using data breach notification sites like Hacked-DB and LeakedSource."
http://themerkle.com/hacked-bitcointalk-user-data-finally-surfaces-on-dark-net/
"Just a few days ago, the data stolen from the BitcoinTalk.org hack in 2015 was posted for sale on dark net. A hacker going by DoubleFlag, is selling BitcoinTalk.org’s database. The same hacker is said to be responsible for the 68 million emails and hashed passwords from Dropbox that went for sale on dark net not too long ago.
BitcoinTalk.org was originally hacked in May of 2015, but the data wasn’t posted until a few days ago. DoubleFlag seems to have been the first one able to get his hands on it, and no one after him for that matter. The stolen data was only accessible by using data breach notification sites like Hacked-DB and LeakedSource."
Damn,i guess i will have to change my password to make sure everything is fine.
And damn,this might have an impact over the entre bitcoin community or over the bitcoin price.
My account is created back in December 2015,the hack is on May 2015.I`m safe, i guess.
What year did you change the hashing algorithm? From what I saw in the database some users who didn't logon after 2012 were not in it.
July 2012.
I think that one extra step of security would be to have implemented a custom salt for every users password
Each hash has a unique 12-byte salt.
Quote
Also, from StackOverflow:
That's the same nonsense I was responding to.
Quote
Not all of the passwords in the database leak had that encryption :p
It's impossible to upgrade a user's hash until they log in, since their password isn't known. Those users never logged in since the hash algorithm was upgraded several years ago.
What year did you change the hashing algorithm? From what I saw in the database some users who didn't logon after 2012 were not in it.
I think that one extra step of security would be to have implemented a custom salt for every users password
Each hash has a unique 12-byte salt.
Quote
Also, from StackOverflow:
That's the same nonsense I was responding to.
Quote
Not all of the passwords in the database leak had that encryption :p
It's impossible to upgrade a user's hash until they log in, since their password isn't known. Those users never logged in since the hash algorithm was upgraded several years ago.
I don't see why we should be worried, I know I'm not. Let him do what he will with the data, if he's able to get the 1 BTC he asking for it then good for him. There is nothing that can done at this point anyway other than changing passwords and making sure email accounts are secured with 2FA. No sense in losing sleep over this if you ask me.
To clarify, they're selling SHA256 passwords? Hashed passwords! There is great difficulty in converting several hundred thousand of these in one go and highly trusted members may change passwords often so little money can be gotton from this.
I think someone got one of my emails at some point but it could also be via mtgox leak. I had a few random log in attempts with 1 successful to a shitty twitter account i dont use. All passwords have been changed and i 2FA everything i can.
Here's the typical encrypted Bitcointalk user password.
$5$rounds=7500$uxETNKYBd49f1XZT$GqmY9SIrgeXwNI/QmhhkYKpznDrFPENk2uvCwBrnsLA
98% of the users here will not know what the hell that is, nor will they know how to use it efficiently. And the time to crack one doesn't meet the reason to do it.
$5$rounds=7500$uxETNKYBd49f1XZT$GqmY9SIrgeXwNI/QmhhkYKpznDrFPENk2uvCwBrnsLA
98% of the users here will not know what the hell that is, nor will they know how to use it efficiently. And the time to crack one doesn't meet the reason to do it.
I wouldn't be so sure about your last statement, if they don't know what an encrypted password is they could search in google.
And as Robert_A says it takes only few seconds to decrypt a password so it's not difficult to get the password in the 'plain text'
The price of 1BTC seems very cheap to me, for the hacker is needed only one or two legendary accounts to hack and reach the ROI very fast(badly).
He said a few seconds to decrypt a password that has NUMBERS in it only. Those are easy to crack because it's not hard to go through every possible number combination between 1-10 digits. Also, it's not easy to reach ROI now as people are very sceptical when it comes to dealing with people, even legendary accounts. Of course, if you plan it out and get a big scam all ready to go then bad luck to everyone else.
Here's the typical encrypted Bitcointalk user password.
$5$rounds=7500$uxETNKYBd49f1XZT$GqmY9SIrgeXwNI/QmhhkYKpznDrFPENk2uvCwBrnsLA
98% of the users here will not know what the hell that is, nor will they know how to use it efficiently. And the time to crack one doesn't meet the reason to do it.
$5$rounds=7500$uxETNKYBd49f1XZT$GqmY9SIrgeXwNI/QmhhkYKpznDrFPENk2uvCwBrnsLA
98% of the users here will not know what the hell that is, nor will they know how to use it efficiently. And the time to crack one doesn't meet the reason to do it.
I wouldn't be so sure about your last statement, if they don't know what an encrypted password is they could search in google.
And as Robert_A says it takes only few seconds to decrypt a password so it's not difficult to get the password in the 'plain text'
The price of 1BTC seems very cheap to me, for the hacker is needed only one or two legendary accounts to hack and reach the ROI very fast(badly).
The forum's hashes, while not uncrackable given weak passwords, are far stronger than those used by almost every other site.
I guess I'd agree with that. I think that one extra step of security would be to have implemented a custom salt for every users password which would increase the difficulty of increasing the passwords.
Also, from StackOverflow:
Quote
Bcrypt really shines for online attacks, if you have set the work factor properly, because even if I get the hash, meant to say if the 'adversary' gets the hash, the work factor makes it really painful to go through an entire dictionary, taking multiple days and if the password isn't in the dictionary, then I'm really in trouble cause a brute force attack will be epic, the password bit space for bcrypt is quite large though finite 
Sha256 may be taking a bit of time now, but eventually computers will get faster and faster and it'll be fairly easy for attacks, the unix guys thought crypt was so slow it would have never being an issue, and today I have done an online attack in seconds, offline attack in days, a brute force attack (going through the entire password bit space) in weeks ...
Sha256 may be taking a bit of time now, but eventually computers will get faster and faster and it'll be fairly easy for attacks, the unix guys thought crypt was so slow it would have never being an issue, and today I have done an online attack in seconds, offline attack in days, a brute force attack (going through the entire password bit space) in weeks ...
Quote from: theymos
The forum uses sha256crypt with rounds=7500
Not all of the passwords in the database leak had that encryption :p
At the end of the day, you could implement the strongest algorithm but if users are stupid enough to use their password more than once and even worse, on a site that stores passwords with in plaintext or in a weak algorithm like message digest 5 (MD5), they deserve to be hacked. Like honestly how hard is it to use a different password by even changing 1-2 parts of your password.
This just out in the news. What are the implications of this as a regular user of BCT? Should we be worried about this?
http://themerkle.com/hacked-bitcointalk-user-data-finally-surfaces-on-dark-net/
"Just a few days ago, the data stolen from the BitcoinTalk.org hack in 2015 was posted for sale on dark net. A hacker going by DoubleFlag, is selling BitcoinTalk.org’s database. The same hacker is said to be responsible for the 68 million emails and hashed passwords from Dropbox that went for sale on dark net not too long ago.
BitcoinTalk.org was originally hacked in May of 2015, but the data wasn’t posted until a few days ago. DoubleFlag seems to have been the first one able to get his hands on it, and no one after him for that matter. The stolen data was only accessible by using data breach notification sites like Hacked-DB and LeakedSource."
http://themerkle.com/hacked-bitcointalk-user-data-finally-surfaces-on-dark-net/
"Just a few days ago, the data stolen from the BitcoinTalk.org hack in 2015 was posted for sale on dark net. A hacker going by DoubleFlag, is selling BitcoinTalk.org’s database. The same hacker is said to be responsible for the 68 million emails and hashed passwords from Dropbox that went for sale on dark net not too long ago.
BitcoinTalk.org was originally hacked in May of 2015, but the data wasn’t posted until a few days ago. DoubleFlag seems to have been the first one able to get his hands on it, and no one after him for that matter. The stolen data was only accessible by using data breach notification sites like Hacked-DB and LeakedSource."
Oh no, I think if they sell it, It cause big in bitcoin community because many earners are earning here in bitcointalk by services like selling their accounts, by joining signature camapaign and many more. What is the action of theymos now? And What should we do now have accounts in bitcointalk?
99% of the users are safe. (Not 99. But a lot.) The passwords were encrypted with 5 rounds & used strong encryption algorithms. Many passwords will never be cracked or aren't worth the time to crack.
, Well, the question is why the hacker is just releasing the data a few days ago? Is anyone know the reason? considering from your explanation I think that is safe at this time.
I sent out a mass email about this right after the leak in 2015. People really should've changed their passwords then. This database has been floating around since then, so if you didn't change your password already and your password is sufficiently weak, then there's a good chance that your account would've already been compromised.
That's a common misconception. There is no functional difference between bcrypt and sha256crypt, except that sha256crypt uses the industry-standard SHA-256 hash function while bcrypt uses a hash function based on the deprecated and obscure Blowfish encryption algorithm.
PHP uses a default bcrypt cost of 10, which is roughly similar to sha256crypt with rounds=1024. Python uses a default cost of 12, which is roughly similar to sha256crypt with rounds=4096. The forum uses sha256crypt with rounds=7500. The forum's hashes, while not uncrackable given weak passwords, are far stronger than those used by almost every other site.
Let me just say that the encryption algorithm could've been stronger. For example, bcrypt or something like what Wordpress implements. Now THOSE are some tough hashes to crack.
That's a common misconception. There is no functional difference between bcrypt and sha256crypt, except that sha256crypt uses the industry-standard SHA-256 hash function while bcrypt uses a hash function based on the deprecated and obscure Blowfish encryption algorithm.
PHP uses a default bcrypt cost of 10, which is roughly similar to sha256crypt with rounds=1024. Python uses a default cost of 12, which is roughly similar to sha256crypt with rounds=4096. The forum uses sha256crypt with rounds=7500. The forum's hashes, while not uncrackable given weak passwords, are far stronger than those used by almost every other site.
It is bad if there are people who buy bitcointalk data, he will get data of email who used for making account on here. And it will become more bad if he can get access to the email.
I change my password every other week, so in theory a hack would not affect me, if my data were compromised. What benefit will these people have from hacking these accounts? We would just show the proof that we own the account and then get it back and change the password again. ^hmmm^
Something must be done to put an end this hacking things going around the corner.
Let me just say that the encryption algorithm could've been stronger. For example, bcrypt or something like what Wordpress implements. Now THOSE are some tough hashes to crack. Hell, even cracking the password "123411" with a bcrypt hash would take up too many resources for the average person.
This leak however contained two different algorithms from what I'm aware. SHA1 & something that looks like this.
Password: $5$rounds=7500$bOzfMJtV+ltz8dF+$jeWxjkMFW8Dv389us5iJ5KSBmb8wjkZOhns4UGeMpp.
A SHA1 hash is just 64 characters of numbers and letters. They are much easier to crack. However, the algorithm in this case doesn't matter if you had an easy password such as 1-10 numbers, a bunch of letters, or if your password was in a wordlist.
Password: $5$rounds=7500$bOzfMJtV+ltz8dF+$jeWxjkMFW8Dv389us5iJ5KSBmb8wjkZOhns4UGeMpp
Once you crack that (took me a few seconds) you'll get this as the plaintext password.
'22362236'
$5$rounds=7500$bOzfMJtV+ltz8dF+$jeWxjkMFW8Dv389us5iJ5KSBmb8wjkZOhns4UGeMpp:22362236
And the fact that many of you are probably in other database leaks and use the same password makes it even easier for someone to compromise your account. Good thing for you guys is that no one gives a shit about Bitcointalk accounts so you're all probably safe for now.
This leak however contained two different algorithms from what I'm aware. SHA1 & something that looks like this.
Password: $5$rounds=7500$bOzfMJtV+ltz8dF+$jeWxjkMFW8Dv389us5iJ5KSBmb8wjkZOhns4UGeMpp.
A SHA1 hash is just 64 characters of numbers and letters. They are much easier to crack. However, the algorithm in this case doesn't matter if you had an easy password such as 1-10 numbers, a bunch of letters, or if your password was in a wordlist.
Password: $5$rounds=7500$bOzfMJtV+ltz8dF+$jeWxjkMFW8Dv389us5iJ5KSBmb8wjkZOhns4UGeMpp
Once you crack that (took me a few seconds) you'll get this as the plaintext password.
'22362236'
$5$rounds=7500$bOzfMJtV+ltz8dF+$jeWxjkMFW8Dv389us5iJ5KSBmb8wjkZOhns4UGeMpp:22362236
And the fact that many of you are probably in other database leaks and use the same password makes it even easier for someone to compromise your account. Good thing for you guys is that no one gives a shit about Bitcointalk accounts so you're all probably safe for now.
Doesn't necessarily mean you're safe. I have billions of database entries in my possession. So let's say, I get your username and search it up on the Bitcointalk database.
Username leads to your email.
I grep that email within all my entries, and any average person will have most likely signed up on another site that was hacked so I will usually find someone's password in a soft password encryption algorithm or in plaintext.
This is where not using your password more than once in the same place comes in handy.
Username leads to your email.
I grep that email within all my entries, and any average person will have most likely signed up on another site that was hacked so I will usually find someone's password in a soft password encryption algorithm or in plaintext.
This is where not using your password more than once in the same place comes in handy.
Here's the typical encrypted Bitcointalk user password.
$5$rounds=7500$uxETNKYBd49f1XZT$GqmY9SIrgeXwNI/QmhhkYKpznDrFPENk2uvCwBrnsLA
98% of the users here will not know what the hell that is, nor will they know how to use it efficiently. And the time to crack one doesn't meet the reason to do it.
Exactly. While the data exists and there are some people who would be willing to take advantage of it, the cracking time for a majority of people is just too long for it to be worth it to get into a lot of user's accounts, however for some people they might just want to get into someone's account enough that they'll take the time.$5$rounds=7500$uxETNKYBd49f1XZT$GqmY9SIrgeXwNI/QmhhkYKpznDrFPENk2uvCwBrnsLA
98% of the users here will not know what the hell that is, nor will they know how to use it efficiently. And the time to crack one doesn't meet the reason to do it.
I'll probably be changing up my password, it's about time anyways.
Jump to: