Slashdot Mirror
LinkedIn Password Hashes Leaked Online
jones_supa writes "A user in a Russian forum is claiming to have hacked LinkedIn to the tune of almost 6.5 million account details. The user uploaded 6,458,020 SHA-1 hashed passwords, but no usernames. Several people have said on Twitter that they found their real LinkedIn passwords as hashes on the list. The Verge spoke with Mikko Hyppönen, Chief Research Officer at F-Secure, who thinks this is a real collection. He told us he is 'guessing it's some sort of exploit on their web interface, but there's no way to know.' We will have to wait for LinkedIn to report back to be sure what exactly has happened."
An anonymous reader tipped us to related news: The LinkedIn iOS application harvests information from your calendar and transmits it to their servers unencrypted.
Haven't you always wanted to forge closer ties with the dynamic marketing and legal-arbitrage entrepreneurs at the Russian Business Network? Now, LinkedIn is proud to announce your exciting, and mandatory, chance to do just that!
This sort of vulnerability is exactly why I avoid storing passwords in hash form. I always store passwords in plain text form. It's much more secure.
Maybe I can find mine, I can't remember it!
Dark Reflection
I haven't logged into linkedin for so long, that I don't remember my password anymore.
And I blocked emails from *@linkedin.com as spam, because, well, they're basically all spam. I can't be bothered to unblock and do email based password recovery.
Could some Russian friend please look up my password for me, and reply back?
K thx bye
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
I mean, seriously. This is something that has been known since, what, the time of Robert H. Morris?
What are you going to do with millions of password hashes, even without usernames none the less?
mov ah, 4ch
int 21h
If you install any app on your mobile device - especially those which thrive off of your data - don't be surprised if it's actually siphoning it off in the background. If groups like Facebook and LinkedIn simply wanted you to access the service remotely, they would just stick to HTML5. Instead, apps give them unfettered access to your contacts, calendar, location, and everything else on your personal device, regardless of platform.
Just remember, it has never been about convenience to the user, and always profitability to the provider.
Password changed and I don't use iOS. I'm all good... until next time. :P
Well, as long as the source of the leak is unknown, how do you know they cannot access your new password?
Greetings comrade,
Try the following password: 12345
Sincerely Boris
"Harvested" -- I love it!
"Bernie Madoff harvested money from his investors."
"H.I. harvested diapers from the convenience store."
"LinkedIn harvested private data from my phone."
They're doing you a favor by "harvesting". Because it's not doing anyone any good if it remains "unharvested".
the growth in cynicism and rebellion has not been without cause
As an IT/security guy reading about these seemingly constant ongoing password change requests, I can't help but think that the problem lies not only with how many special characters we're using in our passwords, or whether or not we're using our pet's name, but more so in how the infrastructures of all of these magically eutopian social networks are storing this information. Correct me if I am wrong, but haven't the majority of the recent problems that have forced us all to change our passwords, whether it is LinkedIn, World of Warcraft or whatever been due to leaks from the back-end, not poor Johnny at the keyboard giving it to Ivan the hacker (no offense to the real Ivans or Johnnys)? Kind of like having to keep replacing the car tires because the roads are made of broken glass. Its not my fault, but I have to suffer. It would seem we need to put more PCI/SOX/whatever-like standards in place to better protect and mandate how our information is stored as more and more encouragement is put in place to unzip our metaphorical zippers online.
And for the record, I am not an anonymous coward, but I forgot my password and my email isn't the same as it was 8+ years ago when I set up my slashdot account...
ignorance is bliss in this case :)
Thank you Boris, but that is my luggage combination, not my linkedin password.
Admittedly my luggage is more important to me than my linkedin account, but...
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
This would seem to raise two questions. the first is whether or not usernames can be tied to their corresponding hash. Even if they can't that's not a hugely difficult problem to overcome though.
The more serious question is how good is SHA 1 then. A database like this (a table of hashes) is what you'd expect someone could hack from a reasonably secure system (although you would have wanted to see some salting as well as hashing but either way). Having a hash of a password doesn't mean you can regenerate the password. If your password is subject to a simple dictionary attack then sure it can be regenerated, you're pretty much doomed, but you're not much more doomed than you were before. A strong password... now that's where this gets interesting. The question is whether or not there are vulnerabilities in SHA 1 that will let you regenerate good passwords (or even bad passwords that aren't dictionary attacks).
If you had a strong password, and SHA 1 is robust enough you could die of old age before anyone manages to figure it out. If SHA 1 has meaningful holes in it... well that's not so good.
Also, linkedin has 160 million users (or at least accounts) if not more than that. So their full database would be significantly larger than this. It will be interesting to know if this is a particular subset of the data (all iOS users, all android 2.3.2 users, all chrome users, that sort of thing) or something else. Purely hypothetically this could be all of the really early linked in users that haven't changed passwords since they implemented SHA 2 if they ever did for example, or it could be a particular version of the website fails.
People on twitter finding their password doesn't mean a whole lot, unless you know the password was strong and unique, and where those users are from, and when they joined linkedin.
For the moment, you can get the database here:
https://disk.yandex.net/disk/public/?hash=pCAcIfV7wxXCL/YPhObEEH5u5PKPlp%2BmuGtgOEptAS4%3D
Surely it will soon find its way into other filesharing sites and torrents, if they take it down from above.
The LinkedIn iPad app is supposedly 95% HTML5. Makes me wonder how suitable it is as a "platform" handling sensitive data.
Comment removed based on user account deletion
I don't know how LinkedIn's login APIs work, but if they use secure user/pass logins and store authentication tokens on the client side as is good practice then in theory exposing these server side generated hashes wouldn't really compromise the system. The problem is that SHA-1 has been broken :( So in theory someone could reverse these and get plaintext passwords and salts or whatever is in them.
This is one reason you don't send password hashes over the network...
i can only see ******
Can I light a sig ?
Just like Shakespeare is better when read in the original klingon, thats funnier in the original TDWTF ... the password is hunter fourty two pound... No not the octothorpe sign, pound sign!
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
LinkedIn also takes contact information from your Gmail account: http://privacylog.blogspot.com/2008/12/privacy-fail-linkedin-steals-private.html
-- I was raised on the command line, bitch
Sorry comrade,
Password file is big...
Have you tried rebooting your luggage?
Sincerely Boris
How strong strong passwords are doesn't really matter. Enough people on linkedin will have weak passwords that spammers will be queuing up to get their hands on a new "trusted" delivery mechanism for their wares.
i think a sane password policy would be
1 between 6 and 16 characters
2 case sensitive (but don't actually REQUIRE mixed case)
3 allow the full Latin-1 character set (with a limited number of excluded characters)
4 no dictionary words
5 encourage but don't require numbers and symbols
6 no reusing passwords
7 limit password changes to N a month (with further changes being done at the IT office).
but all these multi clause policies reduce the number of possible passwords (could somebody run the math on my suggestion and the most common Nazi set??)
Any person using FTFY or editing my postings agrees to a US$50.00 charge
There is no real risk of someone deriving a plain text password from a SHA1 hash (a preimage attack). There are concerns about SHA1 being vulnerable to a collision attack, but that isn't a problem for password hashing. The real concern when it comes to password hashing is speed. A fast hashing algorithm means it is easier to perform brute force searches. Of course, in order to perform a brute force or dictionary attack you need to know exactly how the hashes were generated. That means you need to know the algorithm, the salt (assuming one is used) and the number of rounds. If all you have is a list of hashes then you most likely won't accomplish anything.
Link me out
{ Actual quote: Include me out }
try { do() || do_not(); } catch (JediException err) { yoda(err); }
It is a bit shocking that LinkedIn stores a simple hash of the password. Passwords can then be discovered by using a hash dictionary. A better approach would be to generate a random seed and combine the seed with the password to generate the hash, and store the seed with the hash. Then hash dictionary attacks become impossible.
I (the submitter) also wondered, where is this Russian forum that is being talked about around the Internet.
Sign in, change passwd, sign out. Now only 6,458,019 valid hashes, and likely much less.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I can clearly see that it's hunter2.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
In cases like these, I feel like whoever is in charge of security over there needs to be held responsible for not following best practices and salting the damn password hashes. This has been security standard since PKCS #5 v2.0 -- and you know security professionals don't publish these standards just for their own health. And this is not a new fangled thing, it was finalized in 2000 12 years ago.
Failure to do so is malpractice ...
http://www.mediafire.com/?n307hutksjstow3
When checking for your password, check both for its SHA-1 hash and for the SHA-1 hash with the first five chars zeroed. Quoting:
Some observations on this file:
...
0. This is a file of SHA1 hashes of short strings (i.e. passwords).
1. There are 3,521,180 hashes that begin with 00000. I believe that these represent hashes that the hackers have already broken and they have marked them with 00000 to indicate that fact.
Evidence for this is that the SHA1 hash of 'password' does not appear in the list, but the same hash with the first five characters set to 0 is.
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 is not present
000001e4c9b93f3f0682250b6cf8331b7ee68fd8 is present
Same story for 'secret':
e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 is not present
00000a1ba31ecd1ae84f75caaa474f3a663f05f4 is present
And for 'linkedin':
7728240c80b6bfd450849405e8500d6d207783b6 is not present
0000040c80b6bfd450849405e8500d6d207783b6 is present
2. There are 2,936,840 hashes that do not start with 00000 that can be attacked with JtR.
3. The implication of #1 is that if checking for your password and you have a simple password then you need to check for the truncated hash.
4. This may well actually be from LinkedIn. Using the partial hashes (above) I find the hashes for passwords linkedin, LinkedIn, L1nked1n, l1nked1n, L1nk3d1n, l1nk3d1n, linkedinsecret, linkedinpassword,
5. The file does not contain duplicates. LinkedIn claims a user base of 161m. This file contains 6.4m unique password hashes. That's 25 users per hash. Given the large amount of password reuse and poor password choices it is not improbable that this is the complete password file. Evidence against that thesis is that password of one person that I've asked is not in the list.
And of course don't forget to store all your unique passwords that you have no hope of remembering in a plain-text file on your laptop and your smartphone, as well as on that piece of lined paper in the top drawer of your dresser.
Where are we going and why are we in a handbasket?
Just how many nails does this here cloud's coffin take ?
Legally mandated opening EULA clause:
"Your data is no longer private....".
I changed my LinkedIn password a while back (about a month ago or so) my old password shows up in the Hash not my new password.
I don't use SHA1
Pseudo-code:
PasswordHash = SHA512(MergeArray(txtPassword.GetBytes(),Salt[]))
Where Salt[] is a Cryptographic.RNG.GetBytes(32), which is stored in the DB and generated new every time the password is set.
Leakedin, Leakedin
Not trying to be an ass, but can you direct me to info about why they're sleezeballs?
I call it 'The Aristocrats'
The hash file here. I could find my password in there (after changing it). Who uses unsalted hashes? Is it 1991? https://mail.yandex.ru/disk/public/?hash=pCAcIfV7wxXCL/YPhObEEH5u5PKPlp+muGtgOEptAS4=
Nor should you.
That was my point with the blurb as to whether or not this might be a specific problem. Linkedin has been around since 2003, it's not inconceivable that they would have used SHA 1 in 2003, or in some countries for some circumstances etc.
If the hackers have great control of the site, just logging in to the site could give them access to your password _plaintext_.
So use different passwords for different sites.
Oh yeah. If you happen to use the same password on other sites. Change the passwords on the OTHER sites.
Don't bother doing that with LinkedIn. Treat the account as if the password is not a secret and cannot be a secret, until LinkedIn fixes stuff.
That's right they are hipster and emo's. Get it straight damn it! I am the barbarian because I don't us apple products. :-p
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Right, but as I say, you could be dead before they can brute force it. Depends on how strong your password is and how much computing power can be thrown at it.
It's not going to be a big shock to hackers that there are a lot of people on linkedin with passwords like 12345678 and linkedin. Without any immediately obvious way to tie passwords to accounts they're not a whole lot better off. Using a simply dictionary attack to verify that yes, there are shitty passwords isn't really making those accounts much less secure.
ya but without any easy way to tie passwords to accounts there's nothing new there. Yes, lots of accounts on web services have bad passwords, that's not news to anyone.
Please tell me if this sounds right. Hackers have your password (and probably your username). They can get into this site and any others on which you use the same password and (even similar) username. They have all your Linked-in info, therefore finding your FB username, for example, is probably pretty easy.
... it's just not practical. I personally have three distinct passwords I use:
simple: for sites I really don't care about
medium: for sites like Linked-in where it would be bothersome if it were breached but there is no credit card info etc.
strong: for sites like banking, ebay, amazon, etc. where access can cost me money.
So, you can:
1) Change your Linked-in password. The security hole may not be fixed yet so you may just be handing them your newer password. Do it anyway with a throwaway password you use just for Linked-in.
2) Change your password on every other site on which you used the same password as you did on Linked-in (but don't change your password on Linked-in to the same thing for reasons above).
Yes, I know, ideally we have a different password for every single site
Any other thoughts as to the current best course of action for those of us with Linked-in accounts?
My favorite quote doesn't fit into 120 characters. Now no one will like me.
My password, unchanged for ~10 years, is not on that list either.
I've just confirmed that the password I chose back then was still valid
as I changed it today.
And of course don't forget to store all your unique passwords that you have no hope of remembering in a plain-text file on your laptop and your smartphone, as well as on that piece of lined paper in the top drawer of your dresser.
This is either funny or sad, because probably a lot of people do exactly that. The blame belongs to the many sites with bad password policies or insecure password practices (including LinkedIn, apparently).
Here's the safer way to do it. Pick a passphrase of suitable length which you will remember, "QuintusFabiusMaximusCunctator" for example, then use that phrase to generate unique passwords by combining it with the site's web address. For instance, with LinkedIn, you'd have a password: //g"
echo -n "QuintusFabiusMaximusCunctator-www.linkedin.com" | sha512sum | xxd -r -p | tr -cd [:print:] | sed -e "s/
which yields:
dIf{0,L$VwZVId3Z2#qfow@8FVAP
which is below the paranoid level of security, but gives fairly secure unique passwords per site. If passwords must be changed occasionally, then year and month can be appended. The command can be kept (ideally without your passphrase) in a post-it note or a desktop sticky for cut&paste.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
The wonderful thing about having 6.5 million password hashes to play with is that a simple dictionary attack will probably get you a couple of million plaintext ones within hours. No need to look for weaknesses in SHA 1, just like there is no need for the cheetah to catch the gazelle at the front of the pack when there are plenty of easy pickings at the back.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
What's with all the LinkedIn bashing? I have been using it for years and have never gotten any spam from them. It's a great resource and has gotten me more than one job.
I really hate to link xkcd but they are on the money with this one.
http://xkcd.com/936/
I'm getting tired of having to have ridiculous passwords, now I'm just either ALWAYS making the first character an uppercase because it's easier, or doing quick pattern based passwords for the ultra fussy systems.
123qwe!@#QWE - that's surprisingly quick to input yet keeps those stupid systems quiet.
They can have my linked-in hash. Based on a similar pattern is should take 11945132084526 centuries to crack according to passfault.
For the lame systems that insist on bad passwords, I just generate something random in keepassX
[-- Trust the Monkey --]
I can confirm that this is not a complete list. None of the passwords I've ever used are in the list.
If you're on a *nix system like Mac or Linux, you can check against the file (after downloading and unraring) with:
echo Type password and hit enter;stty -echo; read p; echo -n "$p" |shasum |cut -c6-40 |sed 's/$/$/' |grep -f- SHA1.txt; unset p; stty echo
If there is output, your password is probably exposed.
You can verify this methodology with any of the common passwords (like "password" sans quotes). Note that this isn't perfect; if it has a hit, it might have overlapped on the first five characters. There's also no guarantee that this is a full list (which is to say, change your password even if you don't find it here).
Use my userscript to add story images to Slashdot. There's no going back.
Sure. But people with trivial passwords never had any hope of security anyway, we can discount those accounts and identities and write them off with or without this leak. It's everyone else I'd be worried about.
'most' is a strong word here. If most people have terrible passwords there was never really anything you could do to save them and their accounts, especially if they reused those passwords.
The interesting part is the ones that won't show up in rainbow tables.
Wow, the LinkedIn hacking looks a lot worse as the hours roll by. There is no indication that the security breach has been fixed yet, so logging into LinkedIn to change your password might be futile - the hackers might still be in there and now they've got your new password too.
But thats not the worst, no not by a long shot. The 6.5 million password hashes that were uploaded to the Russian hacker forum are unique - i.e. any duplicate hashes are filtered out. Assuming some users pick the same "easy" passwords, it means the 6.5 million passwords could easily be a very significant chunk of the LinkedIn user base.
And lets take that a step further - until we know any better, we have to assume that the group who hacked LinkedIn and stole those passwords got away with at least your LinkedIn username too. Which is your email address. You didn't use the same password for your email account as you did for your LinkedIn account did you? Oh wait you did.. Better go change your email password too. This list of email addresses alone is very valuable to the dark side of the internet as it's a huge list of confirmed, valid emails addresses.
Its never great to be the bearer of bad news, but what was that - yes, that was it. LinkedIn also allows you to link your profile to your social media accounts - Facebook, Twitter, your private blog, etc etc. If you used the same email address and password to log into those accounts as you did for LinkedIn, you better get moving quick to change all of those passwords too (please, please use a different password for each site this time!) as at this point we have to assume the worst and that the hackers got the details about your linked profiles too.
For some users, your credit card information may have been stored too so you could "upgrade" your LinkedIn account. Oh and your profile probably has your address on it.
Finally, this opens up LinkedIn users to massive identity theft - generally LinkedIn users have uploaded their full CVs. That might even include your birthday and for married people your maiden name. It could easily show your first high school, where you went to college, the name of your first employer, etc etc. What are all those sort of details used for? Accessing your bank account, resetting passwords via security questions, you know, proving your identity online. Ouch.
This hack has potential to be bad. Really really bad. And until we know the size of the breach we have no idea how far reaching it could ultimately end up.
I'm retired but I do have a LinkedIn account and am "connected" to a lot of people in my old profession. Several people I know got very nice jobs through LinkedIn. One got a job as Director of Global Quality for a large Chinese company (and this person is from India) and has quite a nice salary.
I'm not much for social networks, and I don't spend time on LinkedIn but I use it and I personally think it's a good tool for many professionals. I have never gotten any spam from LinkedIn or LinkedIn "members'.
You exist and are on the internet. In short, you admit to being a sleezeball....
But people with trivial passwords never had any hope of security anyway, we can discount those accounts and identities and write them off with or without this leak. It's everyone else I'd be worried about.
Gosh, aren't we elitist today! Do you really think that lots of people use super-strong passwords for LinkedIn of all sites?
The real question is how well salted the passwords are; with appropriate salting, it's still going to be awkward to crack since you won't be able to use techniques like rainbow tables. (Also, if the salt is different from that found on other sites, it is still not very much use to find a solution to what can produce the SHA-1 hash, since a different site that uses a different salt source will have different collisions; about all the attacker could count on doing is log into LinkedIn...)
"Little does he know, but there is no 'I' in 'Idiot'!"
Don't forget to protect your .bash_history!
http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
Its about time they got off their asses and implemented support for OpenID.
AccountKiller
The passwords aren't salted at all, we already knew that.
And I'm not being elitist. A job seeking site is as close as you can get to taking basically everything important in someones identity shy of their social insurance/security number and bank account information, and some people have (or used to have) that info on resumes. Their work history, work contacts, education, address, contact info etc it's all there, the entire history of your professional life. I fully expect a huge portion of users to have terrible passwords. Because on every service in existence lots of people have terrible passwords. And my point is if your password is 12345678 you're not meaningfully less secure now than you were 2 days ago. Especially not without salting.
Any minimally competent man in the middle attack of any sort could have gotten the password hashes, or one could simply, on any service, try the few most common passwords on every account you can find and see what happens. This is not meaningfully worse than being able to do that.
The list had hash of my password but I've deleted my account long ago. Luckily I used a one time password that I didn't use anywhere else.
It is very likely they have the information linking the two. In your case it seems like the harm would have been limited to the Linkedin site, if you had not changed your password. They would most likely make money by hijacking your accounting and posting/messaging spammy links to your friends. But *many* people use same/similar passwords and mail id combos (evident from the password choices). They have more reason to be worried - FB, Twitter, In all hijacked!
Just goes to show does not matter how good the password if the hacker wants in there getting in
http://thetechnologygeek.org/
Orly?
simple, fast homepage with your links: http://www.ngumbi.com/
These news might explain why earlier this spring I started receiving spam to the email address I had given to LinkedIn and no one else. The format of the disposable email address was such that it could not be guessed. I have something like 100 of these disposable email addresses and the others and the others haven't leaked so I don't think the leak happened at my end. That leaves LinkedIn as the source of the leak and I was wondering if they knowingly sold out my email address that shouldn't have been public or if they got hacked. Now it seems it might have been the latter. This comment says: "I changed my LinkedIn password a while back (about a month ago or so) my old password shows up in the Hash not my new password." ( http://it.slashdot.org/comments.pl?sid=2898871&cid=40232837 ). That would fit with the idea that the breach happened some time ago, not in the past few weeks. I contacted LinkedIn and asked for an explanation but they didn't bother to answer. I'm sure they were too busy investigating the breach and informing their customers that their data has been stolen or something. Well, in the end I don't know why my email address was leaked. But I do think that they should at least have provided an explanation and an apology when I contacted them.
This is Slashdot. Anyone who runs a business on the internet is a sleazeball.