Important! Please read: Mt gox hacked, all accounts were leaked

[artemm]

UPDATE 06/20: looks like the same thing may be transpiring at Trade Hill

An anonymous blog post claims to have hacked trade hill and is offering to sell password hashes. I would take this seriously at this point.

If you used your tradehill password anywhere else, I would change this now.

Guys,

The hacker group known as Anonymous just broke into Mt. Gox, crashed the market, then proceeded to LEAK all account info.

Luckily, the password is stored in a hash, but, given Mt. Gox's weak encryption methods, some (if not all) of the hashes are already cracked, revealing your true password.

I saw the file. And, yes, my email is in there.

If you used that password ANYWHERE ELSE, be sure to change it ASAP.

It was just a matter of time before this happened. Mt. Gox is essentially run from a dude's basement, in the grand scheme of things.

[Jen]

thank you

[danielkza]

There are no keys to hashing functions: they're not reversible. The only way to break them is brute force, which is next to impossible with proper salting (hopefully the guys at Mt. Gox were at least half competent on that area).

[artemm]

true, but you should change all other instances of that password just in case. MD5 was probably used with no salting (worst case scenario.) That can be brute-forced in no time. Honestly, Mt. Gox is a one man operation. The guy running it didn't even notice the breach until the damage was done AND the market managed to correct itself.

[Deux]

Thanks for the heads up, looks like quite a mess. Glad I pulled everything off of mtgox after the claims of hacking recently.

[BeepBeep2]

Thanks for the heads up, looks like quite a mess. Glad I pulled everything off of mtgox after the claims of hacking recently.

https://support.mtgox.com/entries/20...count-rollback

UPDATE REGARDING LEAKED ACCOUNT INFORMATIONS

We will address this issue too and prevent logins from each users. Leaked information includes username, email and hashed password, which does not allow anyone to get to the actual password, should it be complex enough. If you used a simple password you will not be able to login on Mt.Gox until you change your password to something more secure. If you used the same password on different places, it is recommended to change it as soon as possible.

[danielkza]

true, but you should change all other instances of that password just in case. MD5 was probably used with no salting (worst case scenario.) That can be brute-forced in no time. Honestly, Mt. Gox is a one man operation. The guy running it didn't even notice the breach until the damage was done AND the market managed to correct itself.

The passwords were salted, you can test it yourself: the part between the start of the string and the third $ is the salt, and the rest is the output of PHP's crypt function.

The hash of my password in the leak is

Code:

$1$pbC0WhDK$06aoDZXms.RuV9gQB037B.

The following PHP script yields the correct hash, and you can use it yourself to see if your most current password was leaked.

PHP Code:

<?php 
print(crypt('<my real password>', '$1$pbC0WhDK'));
?>

[artemm]

There's also the issue of 61 thousand leaked live emails that will now be going into x spam lists... Sigh, and that email was relatively spam free. Guess that's about to change.

This is going to rock investor confidence to the core. I'd be shocked if the BTC price will go anywhere near where it was when the attack occurred.

[shoota]

crap. i can't remember which email i used but if it's my main email then i'm probably screwed too. sigh.. it was so spam free unlike my yahoo email..

[artemm]

Update: 300 cracked hashes already posted. It allegedly took only 10 seconds.

Change that password, people. It's going to get cracked and will be out in the wild in no time.

[c22]

Where can I see the leaked database ?

[Blauhung]

hehe, good thing i used a brand new password for this and the spam email account

[NKrader]

i am ANONYMOUS!

[shoota]

Update: 300 cracked hashes already posted. It allegedly took only 10 seconds.

Change that password, people. It's going to get cracked and will be out in the wild in no time.

Password to what? Mt Gox? email? I guess anything that resembles the stolen password huh..

[NKrader]

Password to what? Mt Gox? email? I guess anything that resembles the stolen password huh..

im changing my door locks right now.

[shoota]

im changing my door locks right now.

Be careful of the Boogey Man!! still want this board btw?

[Tom128]

Between anon and lulz, being an interweb user is becoming scary.

I bet it was a SQL inject. I had pondered testing their screens with injects just to see how stable they were, since the site looked like it was made by a guy that just got done reading "My First HTML page". I just assumed with the number of people using it the thing was function over form.

[dangaroos]

Guys,

The hacker group known as Anonymous...

I thought they were more in the "releasing emails from a company that worked with the gov and banks to screw over some journalist because they didnt like what they were doing" business.
Link

ok, they did call for sony ddos, but later said it was a mistake because it only affected their customers.


Releasing customer data from some random online company is hardly their mo.



D

[Tom128]

I thought they were more in the "releasing emails from a company that worked with the gov and banks to screw over some journalist because they didnt like what they were doing" business.
Link

ok, they did call for sony ddos, but later said it was a mistake because it only affected their customers.


Releasing customer data from some random online company is hardly their mo.



D

I was thinking that as well, however they were the first one to tweet about it right after the selloff happened, so it's possible. I assumed it was lulz not anon myself.

[KaptainBlaZzed]

found my username and email in the file. All passwords have been changes.

#$#%#$@% Hackers!!

[NKrader]

Releasing customer data from some random online company is hardly their mo.

[INFRNL]

I'm glad I am not with this one, but I'm sure it won't be long to get all the others. Dammit I didn't use my head. Used my main email and main password like an idiot. will keep an eye on everything

[IFMU]

i'm a bit curious as to who exactly would be at risk here? i tried bitcoin on my rig here, but it couldn't do it, so i haven't been running it... but no clue what this Mt gox stuff is... anyone mind explaining a bit more for those who aren't really sure wtf is up?

[BeepBeep2]

i'm a bit curious as to who exactly would be at risk here? i tried bitcoin on my rig here, but it couldn't do it, so i haven't been running it... but no clue what this Mt gox stuff is... anyone mind explaining a bit more for those who aren't really sure wtf is up?

We run bitcoin miners...

These miners solve complex math equations and generate bitcoins for the bitcoin economy (kind of like the govt printing money) but instead we are the ones printing it.

Once we have our bitcoins, we go to websites like Mt. Gox where we sell our bitcoins from our digital wallet to someone elses digital wallet for USD. Be it an investor that believes in the future of bitcoins or someone that is buying in hopes the market value will increase in the future. It is a currency exchange, bitcoins are a form of currency.

...problem is, if you have an account on Mt. Gox with bitcoins in it waiting for sell (or money in your Mt. Gox account) it can be stolen like was the case today.

[IFMU]

ok so if i've never tried to buy or sell the bitcoins, i pretty much don't have anything to worry about then?