LinkedIn Password Hashes Leaked Online

jones_supa writes "A user in a Russian forum is claiming to have hacked LinkedIn to the tune of almost 6.5 million account details. The user uploaded 6,458,020 SHA-1 hashed passwords, but no usernames. Several people have said on Twitter that they found their real LinkedIn passwords as hashes on the list. The Verge spoke with Mikko Hyppönen, Chief Research Officer at F-Secure, who thinks this is a real collection. He told us he is 'guessing it's some sort of exploit on their web interface, but there's no way to know.' We will have to wait for LinkedIn to report back to be sure what exactly has happened." An anonymous reader tipped us to related news: The LinkedIn iOS application harvests information from your calendar and transmits it to their servers unencrypted.

Re:So what?

[DocSavage64109]

If he has the password hash, then he most likely also has the username. He just didn't share them with the rest of the world and is likely trying to sell them.

broken glass all over the road

[Anonymous Coward]

As an IT/security guy reading about these seemingly constant ongoing password change requests, I can't help but think that the problem lies not only with how many special characters we're using in our passwords, or whether or not we're using our pet's name, but more so in how the infrastructures of all of these magically eutopian social networks are storing this information. Correct me if I am wrong, but haven't the majority of the recent problems that have forced us all to change our passwords, whether it is LinkedIn, World of Warcraft or whatever been due to leaks from the back-end, not poor Johnny at the keyboard giving it to Ivan the hacker (no offense to the real Ivans or Johnnys)? Kind of like having to keep replacing the car tires because the roads are made of broken glass. Its not my fault, but I have to suffer. It would seem we need to put more PCI/SOX/whatever-like standards in place to better protect and mandate how our information is stored as more and more encouragement is put in place to unzip our metaphorical zippers online.

And for the record, I am not an anonymous coward, but I forgot my password and my email isn't the same as it was 8+ years ago when I set up my slashdot account...

ignorance is bliss in this case :)

Re:Colour me surprised!

[fuzzyfuzzyfungus]

The surprising thing is not that Social 2.0 Mobile Enterprise BuzzCloud App-centric bullshit is shoving everything that it can get its sticky little fingers on to every 3rd party with questionable security and a dire privacy policy that it can find; but that they seem to be so incompetent at it.

Exfiltrating the data in the clear is certainly easy enough(luckily 'mobile' frequently means 'even if I were competent enough, my crypto-crippled appliance wouldn't let me control outbound traffic anyway') but it makes it likely that, sooner or later, somebody is going to sniff some packets at their router and we'll get a little story about exactly how much exfiltration your ghastly little app is doing.

It's like corruption. Even when everybody knows that it is happening, it is still considered crass to get caught with your hand in the cookie jar. You are supposed to pretend to care.

Re:broken glass all over the road

[fuzzyfuzzyfungus]

Are you suggesting that power should be accompanied by responsibility?

Why do you hate America, you godless communist?

Re:So what?

[cryptizard]

People use these kinds of leaks to generate statistically sorted dictionary files for password breaking. The most commonly used (in the real world, as evidenced by these leaked databases) passwords are put at the front so you try all the more likely ones before moving on to the random guessing.

Information security standards?

[Wrath0fb0b]

In cases like these, I feel like whoever is in charge of security over there needs to be held responsible for not following best practices and salting the damn password hashes. This has been security standard since PKCS #5 v2.0 [wikipedia.org] -- and you know security professionals don't publish these standards just for their own health. And this is not a new fangled thing, it was finalized in 2000 [ietf.org] 12 years ago.

Failure to do so is malpractice ...

Re:Plain text

[ArhcAngel]

I love that. The entity is basically telling thieves what target vectors to use when configuring their attack bots.

i.e. Only attempt passwords with 6 to 8 characters and filter out any where # of capitol letters is < 1 or > 1 and # of numbers !=2. I'm sure it's still a large sample but infinitesimally smaller than just requiring a password to be more than 6 characters.

This breach is looking very very bad.

[Anonymous Coward]

Wow, the LinkedIn hacking looks a lot worse as the hours roll by. There is no indication that the security breach has been fixed yet, so logging into LinkedIn to change your password might be futile - the hackers might still be in there and now they've got your new password too.

But thats not the worst, no not by a long shot. The 6.5 million password hashes that were uploaded to the Russian hacker forum are unique - i.e. any duplicate hashes are filtered out. Assuming some users pick the same "easy" passwords, it means the 6.5 million passwords could easily be a very significant chunk of the LinkedIn user base.

And lets take that a step further - until we know any better, we have to assume that the group who hacked LinkedIn and stole those passwords got away with at least your LinkedIn username too. Which is your email address. You didn't use the same password for your email account as you did for your LinkedIn account did you? Oh wait you did.. Better go change your email password too. This list of email addresses alone is very valuable to the dark side of the internet as it's a huge list of confirmed, valid emails addresses.

Its never great to be the bearer of bad news, but what was that - yes, that was it. LinkedIn also allows you to link your profile to your social media accounts - Facebook, Twitter, your private blog, etc etc. If you used the same email address and password to log into those accounts as you did for LinkedIn, you better get moving quick to change all of those passwords too (please, please use a different password for each site this time!) as at this point we have to assume the worst and that the hackers got the details about your linked profiles too.

For some users, your credit card information may have been stored too so you could "upgrade" your LinkedIn account. Oh and your profile probably has your address on it.

Finally, this opens up LinkedIn users to massive identity theft - generally LinkedIn users have uploaded their full CVs. That might even include your birthday and for married people your maiden name. It could easily show your first high school, where you went to college, the name of your first employer, etc etc. What are all those sort of details used for? Accessing your bank account, resetting passwords via security questions, you know, proving your identity online. Ouch.

This hack has potential to be bad. Really really bad. And until we know the size of the breach we have no idea how far reaching it could ultimately end up.