MtGox, the biggest bitcoin market in the world, had its user database compromised. Along with 60,000 other members, my account was leaked, and some hacker somewhere in the world has my username, email, and my encrypted password (thankfully, I hadn't actually put any money in my account). The thieves only got away with $1000, and MtGox has promised to roll back all the transactions since the compromise, but this will certainly be a test of bitcoins' peer-to-peer security model.
Some lessons to take away from this:
- Use secure passwords! Capital letters! Numbers! Special characters! Words that can't be used in the dictionary. Acronyms and other mnemonics are awesome: something like ygmmlmmuihuih (the first letters of "y'all gonna make me lose my mind….") is easy to recreate from memory, but tough to bruteforce.
- Use different passwords for each site you visit, or at the very least, use one password for sites you trust (Gmail, banking sites, etc), and a separate one for more shady ones (forums, startups, and the like).
- Use a password manager like LastPass or KeePass. I use LastPass right now, and it's invaluable for keeping track of all the different passwords I have. Even better, it can automatically generate and save secure passwords for you. Just remember, back up your database every now and then to make sure you don't lose all your site access if the server goes down.
Lastpass also gives me an overview of all the sites I have accounts with, so it was only an hour or so to go through and change up all my passwords. Phew!
Want to see the leak? You can download the entire file here (search for "firstname.lastname@example.org" to see me). Try your luck cracking the hash…
* *Update: Gmail sent me an email that made me think my account was in the process of being compromised, but it turns out they were just being proactive and awesome.