Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security IT

LinkedIn Password Hashes Leaked Online 271

Posted by Unknown Lamer from the at-least-they-weren't-plain-text dept.
jones_supa writes "A user in a Russian forum is claiming to have hacked LinkedIn to the tune of almost 6.5 million account details. The user uploaded 6,458,020 SHA-1 hashed passwords, but no usernames. Several people have said on Twitter that they found their real LinkedIn passwords as hashes on the list. The Verge spoke with Mikko Hyppönen, Chief Research Officer at F-Secure, who thinks this is a real collection. He told us he is 'guessing it's some sort of exploit on their web interface, but there's no way to know.' We will have to wait for LinkedIn to report back to be sure what exactly has happened." An anonymous reader tipped us to related news: The LinkedIn iOS application harvests information from your calendar and transmits it to their servers unencrypted.
This discussion has been archived. No new comments can be posted.

LinkedIn Password Hashes Leaked Online More

LinkedIn Password Hashes Leaked Online

Comments Filter:

  • Colour me surprised! (Score:5, Interesting)

    by rogueippacket ( 1977626 ) on Wednesday June 06, 2012 @10:19AM (#40231971)
    If you install any app on your mobile device - especially those which thrive off of your data - don't be surprised if it's actually siphoning it off in the background. If groups like Facebook and LinkedIn simply wanted you to access the service remotely, they would just stick to HTML5. Instead, apps give them unfettered access to your contacts, calendar, location, and everything else on your personal device, regardless of platform.
    Just remember, it has never been about convenience to the user, and always profitability to the provider.

  • Re:Password changed (Score:3, Interesting)

    by Anonymous Coward on Wednesday June 06, 2012 @10:19AM (#40231975)

    Password changed and I don't use iOS. I'm all good... until next time. :P

    Well, as long as the source of the leak is unknown, how do you know they cannot access your new password?

  • So the real question is how secure is SHA 1 then (Score:5, Interesting)

    by Sir_Sri ( 199544 ) on Wednesday June 06, 2012 @10:28AM (#40232093)

    This would seem to raise two questions. the first is whether or not usernames can be tied to their corresponding hash. Even if they can't that's not a hugely difficult problem to overcome though.

    The more serious question is how good is SHA 1 then. A database like this (a table of hashes) is what you'd expect someone could hack from a reasonably secure system (although you would have wanted to see some salting as well as hashing but either way). Having a hash of a password doesn't mean you can regenerate the password. If your password is subject to a simple dictionary attack then sure it can be regenerated, you're pretty much doomed, but you're not much more doomed than you were before. A strong password... now that's where this gets interesting. The question is whether or not there are vulnerabilities in SHA 1 that will let you regenerate good passwords (or even bad passwords that aren't dictionary attacks).

    If you had a strong password, and SHA 1 is robust enough you could die of old age before anyone manages to figure it out. If SHA 1 has meaningful holes in it... well that's not so good.

    Also, linkedin has 160 million users (or at least accounts) if not more than that. So their full database would be significantly larger than this. It will be interesting to know if this is a particular subset of the data (all iOS users, all android 2.3.2 users, all chrome users, that sort of thing) or something else. Purely hypothetically this could be all of the really early linked in users that haven't changed passwords since they implemented SHA 2 if they ever did for example, or it could be a particular version of the website fails.

    People on twitter finding their password doesn't mean a whole lot, unless you know the password was strong and unique, and where those users are from, and when they joined linkedin.

  • Re:Plain text (Score:5, Interesting)

    by NatasRevol ( 731260 ) on Wednesday June 06, 2012 @10:34AM (#40232173) Journal

    That's nothing.

    http://kottke.org/12/06/the-worlds-worst-password-requirements-list [kottke.org]

  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Wednesday June 06, 2012 @11:37AM (#40233119)
    Comment removed based on user account deletion

  • Re:Password changed (Score:4, Interesting)

    by TheLink ( 130905 ) on Wednesday June 06, 2012 @11:43AM (#40233229) Journal
    If the hackers have great control of the site, just logging in to the site could give them access to your password _plaintext_.

    So use different passwords for different sites.

  • Re:It's not an exploit, it's a feature! (Score:5, Interesting)

    by Relayman ( 1068986 ) on Wednesday June 06, 2012 @01:09PM (#40234445)
    Ironically, LinkedIn could have put you in contact with someone who could have bypassed HR all together. That's what networking is all about. It's a tool and if you insist on using a hammer instead of a screwdriver, good luck to you.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close