UPDATE 06/20: looks like the same thing may be transpiring at Trade Hill

An anonymous blog post claims to have hacked trade hill and is offering to sell password hashes. I would take this seriously at this point.

If you used your tradehill password anywhere else, I would change this now.

Guys,

The hacker group known as Anonymous just broke into Mt. Gox, crashed the market, then proceeded to LEAK all account info.

Luckily, the password is stored in a hash, but, given Mt. Gox's weak encryption methods, some (if not all) of the hashes are already cracked, revealing your true password.

I saw the file. And, yes, my email is in there.

If you used that password ANYWHERE ELSE, be sure to change it ASAP.

It was just a matter of time before this happened. Mt. Gox is essentially run from a dude's basement, in the grand scheme of things.

thank you

There are no keys to hashing functions: they're not reversible. The only way to break them is brute force, which is next to impossible with proper salting (hopefully the guys at Mt. Gox were at least half competent on that area).

true, but you should change all other instances of that password just in case. MD5 was probably used with no salting (worst case scenario.) That can be brute-forced in no time. Honestly, Mt. Gox is a one man operation. The guy running it didn't even notice the breach until the damage was done AND the market managed to correct itself.

Thanks for the heads up, looks like quite a mess. Glad I pulled everything off of mtgox after the claims of hacking recently.

Thanks for the heads up, looks like quite a mess. Glad I pulled everything off of mtgox after the claims of hacking recently.

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback


UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS

We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible.

true, but you should change all other instances of that password just in case. MD5 was probably used with no salting (worst case scenario.) That can be brute-forced in no time. Honestly, Mt. Gox is a one man operation. The guy running it didn't even notice the breach until the damage was done AND the market managed to correct itself.

The passwords were salted, you can test it yourself: the part between the start of the string and the third $ is the salt, and the rest is the output of PHP's crypt function.

The hash of my password in the leak is
$1$pbC0WhDK$06aoDZXms.RuV9gQB037B.

The following PHP script yields the correct hash, and you can use it yourself to see if your most current password was leaked.



<?php
print(crypt('<my real password>', '$1$pbC0WhDK'));
?>

There's also the issue of 61 thousand leaked live emails that will now be going into x spam lists... Sigh, and that email was relatively spam free. Guess that's about to change.

This is going to rock investor confidence to the core. I'd be shocked if the BTC price will go anywhere near where it was when the attack occurred.

crap. i can't remember which email i used but if it's my main email then i'm probably screwed too. sigh.. it was so spam free unlike my yahoo email..

Update: 300 cracked hashes already posted. It allegedly took only 10 seconds.

Change that password, people. It's going to get cracked and will be out in the wild in no time.

Where can I see the leaked database ?

hehe, good thing i used a brand new password for this and the spam email account

i am ANONYMOUS!

Update: 300 cracked hashes already posted. It allegedly took only 10 seconds.

Change that password, people. It's going to get cracked and will be out in the wild in no time.

Password to what? Mt Gox? email? I guess anything that resembles the stolen password huh..

Password to what? Mt Gox? email? I guess anything that resembles the stolen password huh..

im changing my door locks right now.

im changing my door locks right now.

Be careful of the Boogey Man!! still want this board btw?

Between anon and lulz, being an interweb user is becoming scary.

I bet it was a SQL inject. I had pondered testing their screens with injects just to see how stable they were, since the site looked like it was made by a guy that just got done reading "My First HTML page". I just assumed with the number of people using it the thing was function over form.

Guys,

The hacker group known as Anonymous...


I thought they were more in the "releasing emails from a company that worked with the gov and banks to screw over some journalist because they didnt like what they were doing" business.
Link (http://en.wikipedia.org/wiki/Anonymous_(group)#Attack_on_HBGary_Federal)

ok, they did call for sony ddos, but later said it was a mistake because it only affected their customers.


Releasing customer data from some random online company is hardly their mo.



D

I thought they were more in the "releasing emails from a company that worked with the gov and banks to screw over some journalist because they didnt like what they were doing" business.
Link (http://en.wikipedia.org/wiki/Anonymous_(group)#Attack_on_HBGary_Federal)

ok, they did call for sony ddos, but later said it was a mistake because it only affected their customers.


Releasing customer data from some random online company is hardly their mo.



D

I was thinking that as well, however they were the first one to tweet about it right after the selloff happened, so it's possible. I assumed it was lulz not anon myself.

found my username and email in the file. All passwords have been changes.

#$#%#$@% Hackers!!

Releasing customer data from some random online company is hardly their mo.
:yepp:

I'm glad I am not with this one, but I'm sure it won't be long to get all the others. Dammit I didn't use my head. Used my main email and main password like an idiot. will keep an eye on everything

i'm a bit curious as to who exactly would be at risk here? i tried bitcoin on my rig here, but it couldn't do it, so i haven't been running it... but no clue what this Mt gox stuff is... anyone mind explaining a bit more for those who aren't really sure wtf is up?

i'm a bit curious as to who exactly would be at risk here? i tried bitcoin on my rig here, but it couldn't do it, so i haven't been running it... but no clue what this Mt gox stuff is... anyone mind explaining a bit more for those who aren't really sure wtf is up?
We run bitcoin miners...

These miners solve complex math equations and generate bitcoins for the bitcoin economy (kind of like the govt printing money) but instead we are the ones printing it.

Once we have our bitcoins, we go to websites like Mt. Gox where we sell our bitcoins from our digital wallet to someone elses digital wallet for USD. Be it an investor that believes in the future of bitcoins or someone that is buying in hopes the market value will increase in the future. It is a currency exchange, bitcoins are a form of currency.

...problem is, if you have an account on Mt. Gox with bitcoins in it waiting for sell (or money in your Mt. Gox account) it can be stolen like was the case today.

ok so if i've never tried to buy or sell the bitcoins, i pretty much don't have anything to worry about then?

Mt Gox is the most active exchange for buying/selling bitcoins. You have to have an account on the site and that's the email and password that got leaked. If you didn't sign up on that site then you are ok. If you did then change the password on every other site that you might have the same password as Mt Gox.

ok so if i've never tried to buy or sell the bitcoins, i pretty much don't have anything to worry about then?

Correct, if you didn't sign up to the site.

got it, wanted to make sure on that... thanks ^_^

I got nailed:

8:47AM (GTM +2)

Your wallet address has been changed on BTC Guild. The new wallet address is: xxx. For your security, payouts are disabled for 24 hours after a wallet address has been changed. Please contact webmaster@btcguild.com if you did not request this change.

8:48AM (GTM +2)

A payout has been made to your wallet (1CU3BqTmpdJmxqd8WL4AmPkPMSjmKtwVDZ) in the amount of 0.38 BTC. This transaction was immediately initiated by our server. It may appear in your wallet instantly, or it could take a few hours depending on how long it takes to be confirmed in a block.

I was busy walking to work at that time, I was nowhere near a PC. I have never changed the address and the last time I did a payout was two days ago. I lost 0.38BTC.

contact the admin - if its been more than 24 hours, yes, you lost.

if not, tell them you were hacked and they cancel the change. did you not see the note about not getting a payout for 24 hours because of the change?

I'd be very much in favour of hunting down the people who did this, with pitchforks and torches. Damn crackers.

I'd be very much in favour of hunting down the people who did this, with pitchforks and torches. Damn crackers.

A lot of people are hunting anon and lulzsec.... with... err... limited success :p:

I was surprised that anon claimed responsibility for this, but now that they're pretty much the same group, expect the unexpected. They're doing things for lulz AND hacktivism, so anyone's a target.

Oj101;4885208']I got nailed:

8:47AM (GTM +2)


8:48AM (GTM +2)


I was busy walking to work at that time, I was nowhere near a PC. I have never changed the address and the last time I did a payout was two days ago. I lost 0.38BTC.

Ouch, i changed all passwords when i found out about the break-in.

MtGox, TradeHill, Dwolla, BTCGuild, Paypal, Ebay, and my bank(s)

They are also now all STRONG passwords (+15 alpha numeric characters, no words, special characters)

ok so if i've never tried to buy or sell the bitcoins, i pretty much don't have anything to worry about then?

If you have never opened an account at mt gox then no you have nothing to worry about. If you have opened an account with them, then they have your email and password, if you use the same password for other stuff its recommended you change it.

I've already started to received junk mail from this on my email...:(

contact the admin - if its been more than 24 hours, yes, you lost.

if not, tell them you were hacked and they cancel the change. did you not see the note about not getting a payout for 24 hours because of the change?

Oh, sorry. I forgot to mention that I only enabled it after seeing the loss. I'll contact them anyway, thanks.

Seems the market is a bit shaky with the price dropping down to ~$13 USD and lower. Now the question is.. do I buy sometime soon :D


Oj101;4885286']Oh, sorry. I forgot to mention that I only enabled it after seeing the loss. I'll contact them anyway, thanks.

Ouch. I enabled that the moment I generated a fraction of a BTC :( I'm surprised it isn't set by default on BTCGuild.

Oj101;4885286']Oh, sorry. I forgot to mention that I only enabled it after seeing the loss. I'll contact them anyway, thanks.
My pool has a wallet lock, if my account is stolen there my money can still go nowhere but my wallet...if I were to lose this machine and had to change wallets I would simply contact them for the change

UPDATE: looks like the same thing may be transpiring at Trade Hill!!

An anonymous blog post claims to have hacked trade hill and is offering to sell password hashes. I would take this seriously at this point.

If you used your tradehill password anywhere else, I would change this now.

Oh boy. You got a link for that? Hopefully TradeHill was not lying about how they encrypted the passwords. Salted multi-iterated SHA hashes are going to be hard to crack, much harder than salted MD5 hashes like Mt.Gox used.

Oh boy. You got a link for that? Hopefully TradeHill was not lying about how they encrypted the passwords. Salted multi-iterated SHA hashes are going to be hard to crack, much harder than salted MD5 hashes like Mt.Gox used.

The hacker claims that they're unsalted.

And I don't think linking to something potentially illegal will go over too well with the mods, lol. :p:

Hmm, popular opinion is that the Tradehill db hack claim is fake.
It still can't hurt to change a password, though.

luckily I have not signed up for any of these yet. I do need to activate the security thing on guild though

Local news:

"A teenager has been arrested in the UK in a joint Scotland Yard and FBI probe into the hacking of websites."

http://www.bbc.co.uk/news/technology-13859868

Local news:

"A teenager has been arrested in the UK in a joint Scotland Yard and FBI probe into the hacking of websites."

http://www.bbc.co.uk/news/technology-13859868

Good. I don't see the lulz in hacking crap and making people's lives miserable.

http://www.h-online.com/security/news/item/Hacker-organisations-join-forces-1264337.html

Wow, so they want to hit finance and gov to free people from oppression. What does a trade platform for an independent currency has got to do with it?

http://www.h-online.com/security/news/item/Hacker-organisations-join-forces-1264337.html

Wow, so they want to hit finance and gov to free people from oppression. What does a trade platform for an independent currency has got to do with it?

Either
A) generation of funding
or
B) others claiming it was them to try and defame them further

For the most part it would be ideologically backwards for them to attempt to cripple a decentralized system such as bitcoin and they have asked for donations in the form of bitcoin, so my vote is that this was just undertaken by some money grubbing hacker. From the looks of things they had a hacked account and attempted to kill the value then buy back boatloads of extra coins while cheep, and in the chaos somehow found access to the user database of the exchange. This is completely to be expected. Any time anything of value becomes available, someone will try and steal it.