BitcoinTalk breach in circulation. Possible BTC-e breach

tl;dr: BitcoinTalk was hacked in 2015 and the database is now being traded and will probably be public soon. Change your password! BTC-e possibly breached as well, currently looking into it.

BitcoinTalk has been hacked twice. The first hack occured on October 3rd, 2013 and was perpetrated by a group known as "The Hole Seekers". The attackers injected javascript through SMF's news function. According to Theymos the hacker(s) could have executed arbitrary PHP code and therefore could have accessed the database.

About a year and a half later, on May 22nd 2015 at 00:56 UTC, the BitcoinTalk forums were breached for a second time. The attacker gained root access to the forums server and proceeded to create a dump of the database with mysqldump 10.14. The breach resulted in the forum being down for about 3 days. BitcoinTalk's hosting provider, NFOrce, was responsible for enabling the attack. The hacker(s) social engineered NFOrce to get complete access to the server.

Here is what we know about the person(s) responsible for the hack on May 22nd 2015:
The attacker was found to be using 2 IPs, 66.172.27.160 (chunkhost server in Los Angeles) and 37.48.77.227 (LeaseWeb server in the Netherlands). They also used the email address [email protected].

On September 4th 2015 at 10:59 UTC a reddit user by the name of "h-bitcoinz" made a post on the /r/Bitcoin subreddit which said "im lord komodo of lizardskuad and all your db are myne". Included in the post were snippets from what appeared to be database dumps of ButterFlyLabs, BitcoinTalk, and BTC-e. I'm not sure if the bitcointalk hack can be attributed to this individual, but it is interesting.

Google Cache of the post: https://webcache.googleusercontent.com/search?q=cache:https://www.reddit.com/r/BitcoinAll/comments/3jls6t/all_your_database_are_belong_to_me_rbitcoin/

After scavenging I found someone who gave me the database dump, they didn't want to be named. The file is over 500,000 lines (514,409 lines to be exact). The only table in this file is the users table which contains troves of information such as usernames, emails, passwords, IP addresses, security questions/answers and birthdays.

The security questions are stored in plaintext, while the answers are hashed in md5. Md5 is one of the fastest hashing algorithms, which makes it one of the most insecure ones as well. Anyone with a wordlist and hashcat could easily decrypt the majority of these hashes within minutes.

It appears that 44,869 out of the 514,409 passwords were hashed with simple Sha1, and 469,540 of the passwords were hashed with 7500 round sha256crypt.

Sha256crypt with 7500 rounds is a pretty slow hashing algorithm, so it's kinda secure. I decided to take a shot at cracking some of the passwords. With only a couple hundred dollars and AWS EC2 I was able to recover 88,000 sha256crypt passwords and 15,000 sha1's. Because of this I am sure hackers who have this breach have already recovered almost all of the passwords.

The top password was "12345678" and it was used 4,219 times.

I hope everyone enjoyed this post. I think the Bitcoin community needs more transparency on stuff like this. I'm looking into the BTC-e and ButterFlyLabs breaches as we speak and hope to have a post out about those as soon as possible.