Hacker News new | past | comments | ask | show | jobs | submit login

Newest update:

Apparently someone got the whole user account database of Mt.Gox

I wont publish the link to it though for obvious reasons.

Quick analysis: the database is legit, it contains user id, username, email if set, and a bcrypt hash. The hashes seem salted with a global salt.




Something weird is going on. I just downloaded the CSV file and my account was in there(I don't really have any bitcoins at the moment, so that's OK). But I just got a message when trying to log into GMail about 'suspicious' activity being detected on my account. My guess is that someone might have tried logging into my mail. Luckily my email password is unique, so I don't think anyone got in. I hope that other people in their DB was savvy enough not to re-use passwords.


Google has preemptively locked all the Gmail accounts that appeared on that list. (see http://forum.bitcoin.org/index.php?topic=19641.msg245983#msg...)


About 1600 passwords in this database are hashed with plain md5 without salt. I found quite a lot hits (34% success rate) using a rainbow table cracker.


Password hashes are standard php crypt() ones. I'm in that DB, was able to generate the hash using the DB entry (in contains the salt for each password) and my one-time password from mtgox. One-time PWs ftw.


I don't think the db is public, it's being sold for a price.


It's public. I have the db loaded in mysql right now, and have confirmed its validity (my account is in there).



Quite public. At least passwords seem to be hashed, though.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: