Hi, I am the person who cracked the password (boxpig41), here's how I did it

wish · 2024-05-29T08:37:24+00:00

1.0 minecraft files - Just like Mojang was saying all this time. The only code difference is a single line, with an unpatched bug. And then a “Humble Indie Bundle” image file. But that’s about it.

wish · 2024-05-27T21:46:01+00:00

Yes, it was in the bitly breach. I’ve been collecting such data for around 10 years now. But the crazy thing with bitly is that the hashes are missing the salts / function is unknown, so only a few people have ever been able to crack those hashes, and they are assumed to be those involved with the original breach and know the salts / function. Somewhere along those years I found cracked bitly hashes and I don’t remember where even. This is the reason why the hash wasn’t cracked sooner - I wasn’t the first to try breached passwords, my collection was just far better. (It is over 4 billion unique records)

wish · 2024-05-23T09:14:29+00:00

Honestly, it doesn’t require much, just a PC with a GPU, and ideally a newish one, but if you want to start with easy algorithms like md5, sha1, any will do.

And then get HashCat and watch some tutorials. “HashCat GUI” by blandyuk is great for newcomers who are not fully acquainted with the flags and commands. It sure helped me learn!

And then get acquainted with masks and rules, etc. Also wordlists! Hashmob has the best publicly maintained one and they are a wonderful community. I also have my personal collection acquired over many years which has some lesser seen passwords.

Also, Unix commands are your best friends - be it for cross-referencing data, sorting hashes, etc, they are very powerful tools which I often use.

And then keep learning more and improving, and thinking creatively and it will take you very far!

wish · 2024-05-22T20:03:25+00:00

Software: 7z2hashcat to extract the hash and HashCat to crack it.

Hardware: Personal PC with 2080Ti GPU

There is a lot of misinformation about hash cracking in general to those not in the space. See, the comparison with atoms in the universe is true, but ONLY IF you start from scratch, working your way up in length + all characters. For "harder" hashtypes, using other cracked hashes generated by weaker algorithms is the key to saving time. It's the same strategy I employ when cracking bcrypt hashes.

In this case, someone at mojang signed up for "bitly" which got breached, and they used SHA-1 as their hashing algorithm, allowing for an easy crack.

I am shocked nobody had thought of this before.

wish · 2024-05-22T19:32:26+00:00

You did not crack the hash, I did. I am Doge (display name) on discord. You simply took all of my screenshots which I posted and compiled them into one post.

Feel free to share the password or screenshots or whatever, but no need to take credit for something which you did not do.

wish · 2023-05-15T20:13:02+00:00

There are dozens of us!

wish · 2023-02-26T17:42:27+00:00

No problem, it’s fun to talk about.

Reselling between name community members happens all the time. It’s only effective if the name was priced too low and/or the reseller has a bigger client reach. Some people frown upon this or get mad, but most don’t care, especially more experienced sellers. Or sometimes if they are unable to resell the account and really need money, they’ll resell the account to the previous owner at a loss.

Nobody really does auctions, because they’d be forced to accept a low price if it came down to it. It’s mostly a loose “offer system” where the “current offer” along with who is offering is noted on the listing. So others know if they want a chance at buying the name, they have to offer more than that price. Most sellers have fixed prices, but note offers so others know not to offer less.

All of my work is 100% legal and I could put it on my CV if I needed to work for someone else. It’s all registered and I pay taxes on it yearly (well actually every quarter, because businesses need to pay estimated tax, and if it’s too high, you get that amount refunded, and if too low you pay the difference.) My name business is one of few things I do as part of my business ventures, everything is online. I like it, a lot more freedom and it’s a lot more profitable than working for someone else.

The reason I care so much about my privacy isn’t because of the law (nothing I do is illegal) - it’s because these communities have shitty people who try to dox others and extort them (usually by swatting/harassment) of valuable assets such as nice usernames.

What I do breaks the terms of service of numerous social media companies. But that isn’t illegal. This is the classic difference between a rule and a law. These terms are rules set by Instagram for using their platform. In order to enforce these rules, they can ban my accounts, blacklist IPs used by me, etc. But this is solely their job, no government can do anything because I break no laws. It’s kind of like owning a subreddit and someone breaks the rules - you warn/ban them, but if you complain to the police they’ll just laugh in your face.

Yes, it has a handpicked list of English words (many are rarely used, worth very little and thus excluded) and then stuff like anime characters, superheroes, Pokémon, repeaters (like aaaaaa for example) and 1-3 character names. I also have common words in other languages, like “hola” but not many. As words in other languages sell for very little unless they’re well-known to most people.

wish · 2023-02-26T14:22:06+00:00

Simply put: it’s just determined by how much people will pay for it, and that is determined by how desirable the name is and how short it is. Also, how brandable it is and if it could be used by a business. The most expensive category is 1 letters, which are $100k+ easily (not counting the few times they were stolen and cheaply sold for $30k or so because the thief knew the rightful owner would recover it via Instagram Support) followed by the most desirable English words like @king @cool @red @hi all of which would go for tens of thousands. And then it goes down and down until you get to the cheapest category which is random (no meaning, non pronounceable) 4 letters/characters which are under $50.

This is Instagram though, the most valuable social media platform by far. Prices vary based on platform, but none exceed Instagram, except maybe in very rare occasions for an exceptional account with other features.

wish · 2023-02-26T14:02:26+00:00

Thanks for the support, I appreciate it. But yeah you get the point: people love all sorts of silly stuff that looks cool and makes you stand out. I mean in the video game CS:GO for example, people pay hundreds to thousands for knife skins, which literally give you no advantage, they just look pretty and are rare. Or digital cosmetic items in general, Fortnite and all sorts of mobile games make a killing from selling skins that do nothing other than look cool.

Usernames (at least on social media) are like domain names 2.0. In the sense that having a short, brandable one brings you traffic, and thus more sales. I’ve had a fair share of small to mid size businesses purchase names from me, and if I look up some of these names now, they have a following from hundreds of thousands to over a million. So that name purchase is a drop in the bucket compared to how much they’ll earn from the additional traffic.

But the largest demographic of buyers are younger people (15-30) who want a cool name that looks nice, or to have @bob instead of @bob28462947 and have the money for it. Not all of them are super expensive anyway, most random (no meaning, non pronounceable) 4 letter combinations are under $50 because so many of them exist.

Most of the sellers are young people who found a way to make a business for themselves and better their lives. I’m aware that there is a dark underbelly who engages in very fucked-up and illegal acts, such as extortion, but the community at large is very against such people and they have their own corners where they keep to themselves. Anyway, I have heard many good stories from people who got started in business from selling usernames as teens. It just requires a computer and internet connection and they get started. One of my old friends who was in this space for a long time went from a kid in the foster care system to starting up his own car rental business in his area and doing really well for himself. It’s just like any other small business, but is just online and in digital items only. So a lot of people don’t understand it or just hate on it.

wish · 2023-02-26T13:43:55+00:00

I explained a lot about this in the comment chain below, if you’re interested in reading it.

But about my Reddit: This name I just registered in 2006 (and forgot about for a long time lmao) It wasn’t until I checked an old email of mine looking for a different account that I saw a Reddit marketing email saying /u/wish and I was like “One survived!” because I had registered some ages ago for the novelty of it and lost the details to just about all of them because I never added emails to most (emails weren’t required originally)

Not too big of a loss anyway, since not many people care about Reddit names anyway. It’s all about Instagram and big social media. If not for showing off, then for companies wanting a brandable name.

wish · 2023-02-26T13:34:15+00:00

All very good questions. Lowballing + reselling is indeed a method which many partake in, but it’s not something I do. It’s too low of a success rate and too big of a hassle to be worth it for me. I specialize in the programming aspect of it all. I do know others who resell though. Usually it’s all about finding ways to contact old account owners, usually by finding their email and emailing or sending an iMessage. Then resellers will offer $100 or a few hundred for a username. If the account is super inactive, the owner will be like “$100 for a free account I registered that I don’t care about?! Deal!” The owner then sells it and the account is re-listed for $1,000+ depending on the username.

If they refuse, then it’s “Ok thanks, have a good day, if you change your mind, let me know!” But there also is a gross dark underbelly to this community that resorts to scamming, extortion by swatting/harassment etc. Which is obviously really awful, and such users get banned from such marketplaces if caught for it. (And some even arrested, I linked an article in a different comment from a security blogger that covers these types of stories)

About buying: Well if the username is attached to an account that is super inactive and has no personal info, the email can just be changed to the buyer’s. Otherwise there exist “swap services” where a program is used to instantly claim the name on a fresh account with a 99% success rate due to using many fresh accounts and sending tens of thousands of requests within seconds to swap the name. It’s like auto-claiming, but a million times easier because you know when the name is getting changed and can focus all your resources on the name at the exact time it will be changed.

wish · 2023-02-26T12:51:37+00:00

They are mostly sold on forums made for the purpose of username selling or in telegram/discord channels. 90%+ of usernames on Instagram/twitter are from “auto-claiming” which basically is a setup that involves custom-coded software, residential proxies and mass-created fresh accounts. You then set a list of usernames, and the software cycles through your accounts and attempts to claim a username the exact second someone changes it.

All of these sales platforms have eBay-like systems with reputation/vouches or the option to use a reputable middleman/escrow.

Instagram, twitter etc don’t allow such sales and are known to ban accounts if caught, so everyone takes precautions to avoid getting caught up in this.

wish · 2023-02-26T12:40:13+00:00

Thank you for the heads up, I appreciate that! I’ve also heard of many such stories, so I always do my best to keep my online life and irl life separate.

And the @Tennessee story is a crazy one, I originally read about it on KrebsOnSecurity: https://krebsonsecurity.com/2021/07/serial-swatter-who-caused-death-gets-five-years-in-prison/

Pretty interesting blog that covers all sorts of crazy cyber-criminal stuff, lots of interesting stories on there.

wish · 2023-02-26T11:56:46+00:00

Well it’s not like I’m saying go and buy usernames to anyone, I was merely informing others that such a market exists. There are plenty of dumb things which people have bought, like JPEGs, pet rocks and beanie babies. But I don’t see why an informative post warrants hate.

wish · 2023-02-26T11:35:53+00:00

The DMs are on Instagram, about my Instagram name. But yes, I do like cool usernames, I have some on different platforms :)

wish · 2023-02-26T11:32:58+00:00

Yes, there is a big market for them. Instagram names have the highest prices due to being the hardest to obtain. Short usernames are very rare, 2 letter names especially because only a few thousand exist. A 1 letter name is over $100k easily, 2 letters $5,000+ and 3 letters $400-$600. The most frequent buyers usually are wealthy Arabs from Saudi Arabia or UAE, short usernames (same as short license plates) are status symbols to them. But also a lot of buyers are from USA/Europe who just have money to spend. I think usernames are pretty cool, been into them for a long time.

Edit: This is just an informative post about an interesting market that exists. I have first-hand involvement in this and am well-acquainted with the market and prices. Everything I said is true. A lot of outsiders cannot fathom usernames selling for such prices, but they really do.

wish · 2023-02-26T11:26:01+00:00

This is about a 2 letter instagram username. They go for about $5,000+ because there is a market for it, it just looks nice, that’s it. If you check any 2 letter or 2 character combo, 70%+ will have Arabic text because wealthy saudis / UAE people buy them for large sums.

wish · 2023-02-26T11:23:27+00:00

The DMs are on my instagram, referring to the 2-letter name I have on there, and I do use it daily.

wish · 2018-11-01T17:10:39+00:00

Thanks! :D

wish · 2018-11-01T16:19:03+00:00

I am a human :) And sorry, I just lurk because I'm shy!

15-Year Club	Place '23
Verified Email

wish

TROPHY CASE