LinkedIn Password Hashes Leaked Online 271
jones_supa writes "A user in a Russian forum is claiming to have hacked LinkedIn to the tune of almost 6.5 million account details. The user uploaded 6,458,020 SHA-1 hashed passwords, but no usernames. Several people have said on Twitter that they found their real LinkedIn passwords as hashes on the list. The Verge spoke with Mikko Hyppönen, Chief Research Officer at F-Secure, who thinks this is a real collection. He told us he is 'guessing it's some sort of exploit on their web interface, but there's no way to know.' We will have to wait for LinkedIn to report back to be sure what exactly has happened."
An anonymous reader tipped us to related news: The LinkedIn iOS application harvests information from your calendar and transmits it to their servers unencrypted.
Re:It's not an exploit, it's a feature! (Score:0, Informative)
LinkedIn are no better than dirty spammers.
I was getting constant "buy our carpet" emails from LinkedIn, by one of their users.
After complaining through the correct channels to LinkedIn, I was told it's their function to allow users of their site to communicate with each other. Fine, until you realise I'm not a user of their site; never have been, never will be. This fact was lost on them.
LinkedIn honestly thought they were doing me a favour by letting me know about "cheap carpets".
Did they ban the spammer? Did they bollocks.
Eventually they placed my email addresses on their block list.
LinkedIn are dirty spammers.
Re:A New Euphemism! (Score:2, Informative)
harvest
[hahr-vist] Show IPA
noun
1. Also, harvesting. the gathering of crops.
2. the season when ripened crops are gathered.
3. a crop or yield of one growing season.
4. a supply of anything gathered at maturity and stored: a harvest of wheat.
5. the result or consequence of any act, process, or event: The journey yielded a harvest of wonderful memories.
verb (used with object)
6. to gather (a crop or the like); reap.
7. to gather the crop from: to harvest the fields.
8. to gain, win, acquire, or use (a prize, product, or result of any past act, process, plan, etc.).
9. to catch, take, or remove for use: Fishermen harvested hundreds of salmon from the river.
Hashes list link (Score:5, Informative)
http://www.mediafire.com/?n307hutksjstow3
When checking for your password, check both for its SHA-1 hash and for the SHA-1 hash with the first five chars zeroed. Quoting [ycombinator.com]:
Some observations on this file:
...
0. This is a file of SHA1 hashes of short strings (i.e. passwords).
1. There are 3,521,180 hashes that begin with 00000. I believe that these represent hashes that the hackers have already broken and they have marked them with 00000 to indicate that fact.
Evidence for this is that the SHA1 hash of 'password' does not appear in the list, but the same hash with the first five characters set to 0 is.
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 is not present
000001e4c9b93f3f0682250b6cf8331b7ee68fd8 is present
Same story for 'secret':
e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 is not present
00000a1ba31ecd1ae84f75caaa474f3a663f05f4 is present
And for 'linkedin':
7728240c80b6bfd450849405e8500d6d207783b6 is not present
0000040c80b6bfd450849405e8500d6d207783b6 is present
2. There are 2,936,840 hashes that do not start with 00000 that can be attacked with JtR.
3. The implication of #1 is that if checking for your password and you have a simple password then you need to check for the truncated hash.
4. This may well actually be from LinkedIn. Using the partial hashes (above) I find the hashes for passwords linkedin, LinkedIn, L1nked1n, l1nked1n, L1nk3d1n, l1nk3d1n, linkedinsecret, linkedinpassword,
5. The file does not contain duplicates. LinkedIn claims a user base of 161m. This file contains 6.4m unique password hashes. That's 25 users per hash. Given the large amount of password reuse and poor password choices it is not improbable that this is the complete password file. Evidence against that thesis is that password of one person that I've asked is not in the list.
These are not current password Hashs (Score:5, Informative)
Hash file here (Score:3, Informative)
Re:So what? (Score:5, Informative)
I've occasionally daydreamed a fun academic paper would be to collect sets of password hashes, rub them up against a rainbow table, and make graphs and correlations and wild assumptions about the correlation coeff of IQ and rate of easily cracked pwd vs site etc etc. Sounds like fun so its probably been done before.
Yes, it's been done on 70 million passwords. See http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-analyzing_70M_anonymized_passwords.pdf [cam.ac.uk]
Re:Plain text (Score:5, Informative)
Considering that LinkedIn was storing the passwords unsalted [theverge.com], it's really not much better than plaintext.
The only question at this point is whether their "security" team suffers from mild, or severe learning disabilities.
Re:So, if you have a Linked-in account, what now? (Score:4, Informative)
You already know the answer. You just don't like it.
You say that using a different password for every site is not practical. Is it less practical than having to deal with Site A getting hacked and your bank account being emptied? For me, I'm perfectly willing to deal with the hassle of separate passwords.
What I'd suggest is that your "strong" category should all have distinct, strong passwords. I'm fond of 16+ random characters including numbers, caps, specials, etc. It's crazy to trust Amazon and eBay, both giant companies which big targets on their back filled with employees who may or may not be honest, with your bank password. Write 'em down if you have to. You can keep them in your wallet with no note about what they are or usernames, encrypted on your phone, whatever. If that's not good enough, lock them in a safe at home.
I do agree with having a throwaway class of password. I will reuse passwords across sites if they're sites I really don't care about. I don't really have a medium. If having it compromised would be bothersome, it gets its own password.
LinkedIn has just confirmed the breach (Score:4, Informative)
http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/ [linkedin.com]