LinkedIn Password Hashes Leaked Online

jones_supa writes "A user in a Russian forum is claiming to have hacked LinkedIn to the tune of almost 6.5 million account details. The user uploaded 6,458,020 SHA-1 hashed passwords, but no usernames. Several people have said on Twitter that they found their real LinkedIn passwords as hashes on the list. The Verge spoke with Mikko Hyppönen, Chief Research Officer at F-Secure, who thinks this is a real collection. He told us he is 'guessing it's some sort of exploit on their web interface, but there's no way to know.' We will have to wait for LinkedIn to report back to be sure what exactly has happened." An anonymous reader tipped us to related news: The LinkedIn iOS application harvests information from your calendar and transmits it to their servers unencrypted.

It's not an exploit, it's a feature!

[fuzzyfuzzyfungus]

Haven't you always wanted to forge closer ties with the dynamic marketing and legal-arbitrage entrepreneurs at the Russian Business Network? Now, LinkedIn is proud to announce your exciting, and mandatory, chance to do just that!

Plain text

[Anonymous Coward]

This sort of vulnerability is exactly why I avoid storing passwords in hash form. I always store passwords in plain text form. It's much more secure.

Good!

[OakDragon]

Maybe I can find mine, I can't remember it!

Re:Plain text

[fuzzyfuzzyfungus]

This sort of vulnerability is exactly why I avoid storing passwords in hash form. I always store passwords in plain text form. It's much more secure.

Y'know what fools the black-hats every time? Store the passwords in plaintext; but require all users to create a password consisting of exactly 64 hexadecimal characters... Even better, we all know that users hate security, so more user hatred = more secure. And this system is Super Secure.

Re:Could someone please look up my password for me

[Anonymous Coward]

Greetings comrade,
Try the following password: 12345
Sincerely Boris

A New Euphemism!

[Rob Riggs]

"Harvested" -- I love it!

"Bernie Madoff harvested money from his investors."

"H.I. harvested diapers from the convenience store."

"LinkedIn harvested private data from my phone."

They're doing you a favor by "harvesting". Because it's not doing anyone any good if it remains "unharvested".

Re:Plain text

[vlm]

Won't work, local policy prevents repeated numbers, and letters must be a mix of upper and lower case, and no sequential numbers. (I only wish I were kidding)

Re:Could someone please look up my password for me

[vlm]

Thank you Boris, but that is my luggage combination, not my linkedin password.
Admittedly my luggage is more important to me than my linkedin account, but...

Re:Could someone please look up my password for me

[Rude Turnip]

I can clearly see that it's hunter2.

Re:Plain text

[michelcolman]

The password "Password" is not allowed, but "pissword" is because it contains a number!

Re:Plain text

[RCL]

That's nothing: this is the real ubersecure requirement [microsoft.com].