Last week, a vendor on the darknet who previously hawked 68 million dropbox accounts put up another listing: information for nearly 500,000 user accounts on Bitcointalk, a forum for bitcoin users that has been active since the cryptocurrency's earliest days.
The information came from a 2015 hack, according to LeakedSource, a site that collects hacked databases and makes them searchable. While all the passwords were hashed—meaning that they'd been turned into garbled text by an algorithm as a security measure—a LeakedSource blog post states that the site was able to crack just over 30,000 passwords. The rest use a much stronger hashing algorithm, and it would take "about a year to crack an estimated 60-70% of them."
This meant that most Bitcointalk users' passwords, which could potentially be shared with other services like an email account or even a bitcoin wallet, would likely be safe from hackers—until today.
Early on Thursday, an anonymous person posted a list of 100 unencrypted emails and passwords, ostensibly from the 2015 Bitcointalk hack, and stated that the rest—"over 400k"—could be purchased for bitcoin. The shortened link to the site where the dump can be purchased is currently down, due to the shortening service flagging it as a phishing attack.
This could easily be a prank. So I sent emails to dozens of the email accounts listed in the post. As of this writing, only one person has emailed me back: they confirmed that the listed password is indeed one that they used in 2015 on Bitcointalk, but they changed it immediately after the hack was first publicized in May of that year.
Motherboard hasn't been able to confirm the validity of the rest of the 100 posted usernames and passwords, or if the 400,000 other pairs for sale are legitimate.
"The bottom-line for end-users is: computer security is a joke in general"
According to the operator of the Bitcointalk forum, who goes by "Theymos," the forum's password hashing is much stronger than what was used by Dropbox prior to that massive leak of user data. It's possible that instead of cracking the Bitcointalk passwords, the attacker first cracked another dump of user data—say, the dump of more than 400 million Myspace passwords that was up for sale in May—and simply cross-checked with usernames found in the hashed Bitcointalk dump.
"It'd be cheaper to attack the Dropbox hash and then check to see whether the associated forum user used the same password," Theymos wrote me in an email. "Other leaked databases might use even weaker hashes, or no hashes at all. I consider this cross-referencing method to be the most likely, since it is the easiest."
It's worth noting, however, that Dropbox used a fairly robust hashing algorithm, and it's unlikely that the passwords have been cracked already.
The hacked Bitcointalk database was previously up for sale on the darknet in 2015, but the passwords were hashed. This may indicate that more than one person is in possession of the data, and perhaps one of them did the work to decrypt it in order to sell it for a profit.
It's unclear what, exactly, is going on here. But it seems as though there may now be a database of unencrypted Bitcointalk user data floating around on the darknet. This is likely no threat to users who changed their passwords after the hack in 2015, but anybody who hasn't could be in trouble, especially if they used the same password to secure their digital wallet for bitcoins.
"The bottom-line for end-users is: computer security is a joke in general, and every site is eventually going to get hacked," Theymos wrote.
Now's as good a time as ever to change your passwords.
Want more Motherboard in your life? Then sign up for our daily newsletter.