back to article LinkedIn dials 911 on password mega-leak hackers

LinkedIn has turned to the FBI for help after 6.5 million of its users' passwords were dumped online by hackers. The business network said "a small subset" of the hashed data had been deduced and revealed, but the rest is "hard to decode". Security biz Sophos estimated that as much as 60 per cent of the leaked list had been …

COMMENTS

This topic is closed for new posts.
  1. Fuzz

    lax security policies

    Whilst linkedin were at least hashing passwords there are countless sites out there not performing this simple task.

    Those sites are easy to spot, they're the ones that have limitations on their passwords. I just signed up to a t-mobile.co.uk account to manage my dongle the password must be less than 15 characters and contain no special characters. The only reason for this is that the field they are storing the string in doesn't allow more than 15 characters or special characters.

  2. Bumpy Cat

    Maybe not targeted ...

    Now is the ideal time to send out vast amounts of phishing spam with links to your "Linkedin" password change page. Even if you haven't even looked at the password leak yourself, you can skim passwords from people who've heard about the Linkedin security breach and gladly click on the proffered link to change their password.

  3. Lord Elpuss Silver badge
    Facepalm

    Links in email?

    I received a very phishy email this morning from LinkedIn Admin - apparently. It's well written but contains a number of shortlinks. Text of the email is below (I've subtly altered the links from the originals in case anybody feels like being suicidal and clicking them "just to see what happens"...')

    =======================================================================

    You’ve probably read by now that yesterday was not a good day for LinkedIn or millions of its users: the company has confirmed that hackers stole and released more than 6 million encrypted LinkedIn passwords in a massive security breach of the business social networking site.

    What do you need to do right away? If you have not already changed your LinkedIn password, then do it quickly - here’s how: http://read.bi/MeTrsv

    If your LinkedIn account WAS compromised, you will see at your next log-in that it has been disabled. Take these steps next, as recommended by LinkedIn: http://bit.ly/NitaTg

    Unfortunately, this week’s large-scale password theft is unlikely to be the last of its kind: cyber attacks lurk in places you'd least expect. But practicing good, preventive cyber hygiene can keep you safer. How can you be smarter and more secure while still being social?

    More:

    Other Account Security Best Practices, from LinkedIn Director Vicente Silveira: http://bit.ly/LarO9f

    ===========================================================================

    Facepalm because if you get a mail like this and click on shortlinks, you really do need a smack in the face.

  4. Anonymous Coward
    Anonymous Coward

    SHA1 with no salt is totally sodding incompetent. The people responsible for that should be taken outside and publicly flogged.

    1. Neill Mitchell

      In front of their families.

      Is that you Jeremy Clarkson? ;)

      1. Anonymous Coward
        Anonymous Coward

        Re: In front of their families.

        Hey, I didn't say shot... but really you should be publicly shamed for terrible security like this.

  5. DrXym

    Not much risk to security

    So someone managed to get a big list of hashes, so what? Unless someone somewhere has the corresponding user ids there is no further risk to account security. All you could glean from the list is X number of people use password Y, not who those people were.

    The biggest issue I see is that it suggests LinkedIn was not salting passwords and using a fast hash that facilitates dictionary attacks. Remedying these issues wouldn't stop hackers from thieving the list but it would make it far harder to figure out the plaintext for the password unless they could lay their hands on the salting algorithm at the same time.

    1. Lord Elpuss Silver badge

      Re: Not much risk to security

      The vast increase in spam coming from LinkedIn over the last two days appears to indicate that at least some of the email addresses have been decrypted. Whether they've been linked with the passwords is anybody's guess...

      1. James O'Shea

        Re: Not much risk to security

        Except that some of us (me, for instance) have, far from seeing an _increase_ in spam on the throw-away account I used for LinkedIn, have seen a _decrease_ in spam: exactly two spam emails, one in Korean, and one which tried to sell me a new Dell XPS laptop. Given my opinion of Dell the Korean spam has a better chance of success; as I can't read what it's saying, not knowing Hangul, there's a chance that I might buy something from the people it advertises by accident. Dell would have to pay me before I got a Dell laptop. Actually, Dell would have to pay me a _lot_ before I'd get a Dell anything.

  6. MJI Silver badge

    Did they get the Porsche dealer?

    They normally deal with 911

  7. batfastad
    FAIL

    Cookie laws?

    A law that makes storage of passwords in plaintext (at the very least!) illegal should be seriously considered. Or force websites to state their password encryption and storage procedures on registration/signin pages.

    Not the stupid cookie warnings law that everyone will ignore anyway.

    1. Kevin Davidson
      FAIL

      Re: Cookie laws?

      My memory is hazy, but I think that websites operating in France are legally required to store passwords in plain text or reversible hash.

      1. Tom 38
        FAIL

        Re: Cookie laws?

        "reversible hash" is an oxymoron - if it is reversible, it is not a hash, it is an encryption.

        1. eulampios

          Some basic Math

          Exactly, whenever you you try to define a map X^(oo)->Y^n, where cardinality of Y is finite you are mapping an infinite set onto a finite set, so you get a non one-to-one hence not invertible map.

  8. Anonymous Coward
    Anonymous Coward

    Should I change my password?

    If only the encrypted passwords were leaked, not the corresponding email addresses, then I'm not sure I should change my password. What if my password hash wasn't leaked, but then I end up changing it to one that was?!

    1. Kevin Davidson
      Black Helicopters

      Re: Should I change my password?

      I've seen it claimed that the published list is a deduped subset. It seems unlikely that the passwords were stored one place and the usernames/email addresses somewhere else with stronger protection, so assume that the hackers have a complete list of email/password tuples.

      Also, as there's no word on *how* the data got out and now LinkedIn are asking the FBI for help it looks like the hackers may still have complete freedom to download fresh copies of the passwords whenever they want. So be prepared to change your password again after the hole is finally closed.

    2. eulampios

      Re: Should I change my password?

      You can

      1) check it here using javascript, however this might be not very secure, who knows if your password is not being transmitted somewhere, or the javascript code is secure

      2) you can get the 7z file from this yandex link (about 100mb). It will be more secure to decompress it and check all on your own. Easy when you have a POSIX environment like GNU/Linux or BSD (should be possible on Mac OS X) :

      I used this bash one-line code:

      grep '0*'$(echo -n 'your_password' | sha1sum | awk '{print $1}' | cut -b6-40) combo_not.txt

      Where your_password is your password and combo_not.txt is the decompressed file with the hashes.

      If you get a line with some hash your password has been leaked If this hash has a bunch (4-6) zeros in front, than it is been cracked.

      I'd be not very optimistic to assume that the hackers had no access to email addresses/logins.

      1. eulampios

        a better regexp construct

        In case the password has not been cracked, in order to cast away ( very unlikely) coincidences, it is better to prepend the grep regexp with '^.{5}' and use the Perl syntax to finally have

        grep -P '^.{5}'$(echo -n 'your_password' | sha1sum | awk '{print $1}' | cut -b6-40) combo_not.txt

        At least gnu grep lets you use this syntax.

  9. Mr C
    Flame

    we still dont know if they actually fixed the leak

    Well, it doesn't say anywhere that they actually found the leak and plugged it, meaning that the infiltrator(s) might still have access to their DB.

    So, until they get around to finally salting those hashes it might be prudent to give the LinkedIn site a different password than you would give all other sites you frequent.

    Just saying this because *Obviously* all of you slackers too laze to make up a different password for each site, have now changed your passwords everywhere :P

    1. Tom 38
      Holmes

      "until they get around to finally salting those hashes"

      And how, pray, will they manage that with just the hashed password. You cannot salt an already generated hash, you require the original password in order to salt it prior to hashing.

      Therefore if your passwords are hashed but not salted, a hash can only be added at the point the user changes their password.

      So many people with opinions but no clues. Here's Sherlock, to help you find one.

      1. catphish

        Re: "until they get around to finally salting those hashes"

        "Therefore if your passwords are hashed but not salted, a hash can only be added at the point the user changes their password."

        Not totally true. You can rehash the password any time you have the plain text version which can be done the next time the user logs in. Of course, if the passwords have been leaked you should be asking them to change it when they log in anyway!

        It's probably worth brute forcing those passwords themselves and invalidating the weak ones.

  10. pPPPP

    Personally, I'm quite tempted to send out some very rude emails and claim my LinkedIn account was hacked.

  11. probedb
    Holmes

    Coincidence?

    This just reminded me of two (nearly) identical bits of spam I got a couple of weeks ago before all this kicked off. I have different emails for each site so I know where spam likely started.

    One was to my last fm email and one to my linked in.....coincidence? I think not, it also implies that this data has been around before this was revealed?

  12. Anonymous Coward
    Anonymous Coward

    Call me confused

    But why is linkedin important?

    1. catphish

      Re: Call me confused

      LinkedIn is important because it has a large number of technical users whose passwords have been leaked with weak hashes. Keep up.

    2. Anonymous Coward
      Anonymous Coward

      Re: Call me confused

      Yes you are cornfused...

      Hacking is a crime and hackers end up in prison for being in denial. There they get to befriend other people in denial. It's a wonderful brotherhood of stupidity gathered in one place for the benefit of society.

    3. Tom 13

      Re: Call me confused

      People who care about keeping their private info private don't feel a lot of remorse for telling white lies on Facebook. Linked-In is supposed to be a career oriented website, including networking and looking for new jobs. White lies there are a bit more likely to get you into trouble, so the information is usually better. Of course if you aren't on Linked In, it's a bit like a Windows user worrying about a Mac virus.

This topic is closed for new posts.

Other stories you might like