Slashdot Mirror

← Back to Stories (view on slashdot.org)

LinkedIn Password Hashes Leaked Online

Posted by Unknown on from the at-least-they-weren't-plain-text dept.

jones_supa writes "A user in a Russian forum is claiming to have hacked LinkedIn to the tune of almost 6.5 million account details. The user uploaded 6,458,020 SHA-1 hashed passwords, but no usernames. Several people have said on Twitter that they found their real LinkedIn passwords as hashes on the list. The Verge spoke with Mikko Hyppönen, Chief Research Officer at F-Secure, who thinks this is a real collection. He told us he is 'guessing it's some sort of exploit on their web interface, but there's no way to know.' We will have to wait for LinkedIn to report back to be sure what exactly has happened." An anonymous reader tipped us to related news: The LinkedIn iOS application harvests information from your calendar and transmits it to their servers unencrypted.

24 of 271 comments (clear)

  1. It's not an exploit, it's a feature! by fuzzyfuzzyfungus · · Score: 5, Funny

    Haven't you always wanted to forge closer ties with the dynamic marketing and legal-arbitrage entrepreneurs at the Russian Business Network? Now, LinkedIn is proud to announce your exciting, and mandatory, chance to do just that!

    1. Re:It's not an exploit, it's a feature! by SternisheFan · · Score: 5, Interesting

      I applied for a job earlier this year, and the pool company rejected my 'text format' resume, insisting on a resume submitted via Linked In. The last thing I wanted to do was have to join some social network just to get a job. I lived 10 minutes away from the home.office of the job and offered to meet to interview and hand them a hard copy resume. No dice, it had to be done by this Linked In. Now, after reading this news, I know it was the right decision. This internet sure has gotten wacky.

    2. Re:It's not an exploit, it's a feature! by Relayman · · Score: 4, Interesting

      Ironically, LinkedIn could have put you in contact with someone who could have bypassed HR all together. That's what networking is all about. It's a tool and if you insist on using a hammer instead of a screwdriver, good luck to you.

      --
      If I used a sig over again, would anyone notice?
  2. Plain text by Anonymous Coward · · Score: 5, Funny

    This sort of vulnerability is exactly why I avoid storing passwords in hash form. I always store passwords in plain text form. It's much more secure.

    1. Re:Plain text by fuzzyfuzzyfungus · · Score: 4, Funny

      This sort of vulnerability is exactly why I avoid storing passwords in hash form. I always store passwords in plain text form. It's much more secure.

      Y'know what fools the black-hats every time? Store the passwords in plaintext; but require all users to create a password consisting of exactly 64 hexadecimal characters... Even better, we all know that users hate security, so more user hatred = more secure. And this system is Super Secure.

    2. Re:Plain text by vlm · · Score: 4, Funny

      Won't work, local policy prevents repeated numbers, and letters must be a mix of upper and lower case, and no sequential numbers. (I only wish I were kidding)

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    3. Re:Plain text by NatasRevol · · Score: 4, Interesting

      That's nothing.

      http://kottke.org/12/06/the-worlds-worst-password-requirements-list

      --
      There are two types of people in the world: Those who crave closure
    4. Re:Plain text by RCL · · Score: 4, Funny

      That's nothing: this is the real ubersecure requirement.

      --
      Coding etudes
    5. Re:Plain text by DriedClexler · · Score: 4, Informative

      Considering that LinkedIn was storing the passwords unsalted, it's really not much better than plaintext.

      The only question at this point is whether their "security" team suffers from mild, or severe learning disabilities.

      --
      Information theory is life. The rest is just the KL divergence.
  3. Good! by OakDragon · · Score: 5, Funny

    Maybe I can find mine, I can't remember it!

    --
    Dark Reflection
  4. Colour me surprised! by rogueippacket · · Score: 5, Interesting

    If you install any app on your mobile device - especially those which thrive off of your data - don't be surprised if it's actually siphoning it off in the background. If groups like Facebook and LinkedIn simply wanted you to access the service remotely, they would just stick to HTML5. Instead, apps give them unfettered access to your contacts, calendar, location, and everything else on your personal device, regardless of platform.
    Just remember, it has never been about convenience to the user, and always profitability to the provider.

    1. Re:Colour me surprised! by fuzzyfuzzyfungus · · Score: 4, Insightful

      The surprising thing is not that Social 2.0 Mobile Enterprise BuzzCloud App-centric bullshit is shoving everything that it can get its sticky little fingers on to every 3rd party with questionable security and a dire privacy policy that it can find; but that they seem to be so incompetent at it.

      Exfiltrating the data in the clear is certainly easy enough(luckily 'mobile' frequently means 'even if I were competent enough, my crypto-crippled appliance wouldn't let me control outbound traffic anyway') but it makes it likely that, sooner or later, somebody is going to sniff some packets at their router and we'll get a little story about exactly how much exfiltration your ghastly little app is doing.

      It's like corruption. Even when everybody knows that it is happening, it is still considered crass to get caught with your hand in the cookie jar. You are supposed to pretend to care.

  5. Re:Could someone please look up my password for me by Anonymous Coward · · Score: 5, Funny

    Greetings comrade,
    Try the following password: 12345
    Sincerely Boris

  6. Re:So what? by DocSavage64109 · · Score: 5, Insightful

    If he has the password hash, then he most likely also has the username. He just didn't share them with the rest of the world and is likely trying to sell them.

  7. A New Euphemism! by Rob+Riggs · · Score: 5, Funny

    "Harvested" -- I love it!

    "Bernie Madoff harvested money from his investors."

    "H.I. harvested diapers from the convenience store."

    "LinkedIn harvested private data from my phone."

    They're doing you a favor by "harvesting". Because it's not doing anyone any good if it remains "unharvested".

    --
    the growth in cynicism and rebellion has not been without cause
  8. broken glass all over the road by Anonymous Coward · · Score: 5, Insightful

    As an IT/security guy reading about these seemingly constant ongoing password change requests, I can't help but think that the problem lies not only with how many special characters we're using in our passwords, or whether or not we're using our pet's name, but more so in how the infrastructures of all of these magically eutopian social networks are storing this information. Correct me if I am wrong, but haven't the majority of the recent problems that have forced us all to change our passwords, whether it is LinkedIn, World of Warcraft or whatever been due to leaks from the back-end, not poor Johnny at the keyboard giving it to Ivan the hacker (no offense to the real Ivans or Johnnys)? Kind of like having to keep replacing the car tires because the roads are made of broken glass. Its not my fault, but I have to suffer. It would seem we need to put more PCI/SOX/whatever-like standards in place to better protect and mandate how our information is stored as more and more encouragement is put in place to unzip our metaphorical zippers online.

    And for the record, I am not an anonymous coward, but I forgot my password and my email isn't the same as it was 8+ years ago when I set up my slashdot account...

    ignorance is bliss in this case :)

    1. Re:broken glass all over the road by fuzzyfuzzyfungus · · Score: 4, Insightful

      Are you suggesting that power should be accompanied by responsibility?

      Why do you hate America, you godless communist?

  9. Re:Could someone please look up my password for me by vlm · · Score: 4, Funny

    Thank you Boris, but that is my luggage combination, not my linkedin password.
    Admittedly my luggage is more important to me than my linkedin account, but...

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  10. So the real question is how secure is SHA 1 then by Sir_Sri · · Score: 4, Interesting

    This would seem to raise two questions. the first is whether or not usernames can be tied to their corresponding hash. Even if they can't that's not a hugely difficult problem to overcome though.

    The more serious question is how good is SHA 1 then. A database like this (a table of hashes) is what you'd expect someone could hack from a reasonably secure system (although you would have wanted to see some salting as well as hashing but either way). Having a hash of a password doesn't mean you can regenerate the password. If your password is subject to a simple dictionary attack then sure it can be regenerated, you're pretty much doomed, but you're not much more doomed than you were before. A strong password... now that's where this gets interesting. The question is whether or not there are vulnerabilities in SHA 1 that will let you regenerate good passwords (or even bad passwords that aren't dictionary attacks).

    If you had a strong password, and SHA 1 is robust enough you could die of old age before anyone manages to figure it out. If SHA 1 has meaningful holes in it... well that's not so good.

    Also, linkedin has 160 million users (or at least accounts) if not more than that. So their full database would be significantly larger than this. It will be interesting to know if this is a particular subset of the data (all iOS users, all android 2.3.2 users, all chrome users, that sort of thing) or something else. Purely hypothetically this could be all of the really early linked in users that haven't changed passwords since they implemented SHA 2 if they ever did for example, or it could be a particular version of the website fails.

    People on twitter finding their password doesn't mean a whole lot, unless you know the password was strong and unique, and where those users are from, and when they joined linkedin.

  11. Re:So what? by cryptizard · · Score: 5, Insightful

    People use these kinds of leaks to generate statistically sorted dictionary files for password breaking. The most commonly used (in the real world, as evidenced by these leaked databases) passwords are put at the front so you try all the more likely ones before moving on to the random guessing.

  12. Re:Could someone please look up my password for me by Rude+Turnip · · Score: 5, Funny

    I can clearly see that it's hunter2.

    --
    Bill Clinton: Pimp we can believe in. - The Shirt!!!
  13. Hashes list link by xded · · Score: 5, Informative

    http://www.mediafire.com/?n307hutksjstow3

    When checking for your password, check both for its SHA-1 hash and for the SHA-1 hash with the first five chars zeroed. Quoting:

    Some observations on this file:

    0. This is a file of SHA1 hashes of short strings (i.e. passwords).

    1. There are 3,521,180 hashes that begin with 00000. I believe that these represent hashes that the hackers have already broken and they have marked them with 00000 to indicate that fact.

    Evidence for this is that the SHA1 hash of 'password' does not appear in the list, but the same hash with the first five characters set to 0 is.

    5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 is not present
    000001e4c9b93f3f0682250b6cf8331b7ee68fd8 is present

    Same story for 'secret':

    e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 is not present
    00000a1ba31ecd1ae84f75caaa474f3a663f05f4 is present

    And for 'linkedin':

    7728240c80b6bfd450849405e8500d6d207783b6 is not present
    0000040c80b6bfd450849405e8500d6d207783b6 is present

    2. There are 2,936,840 hashes that do not start with 00000 that can be attacked with JtR.

    3. The implication of #1 is that if checking for your password and you have a simple password then you need to check for the truncated hash.

    4. This may well actually be from LinkedIn. Using the partial hashes (above) I find the hashes for passwords linkedin, LinkedIn, L1nked1n, l1nked1n, L1nk3d1n, l1nk3d1n, linkedinsecret, linkedinpassword, ...

    5. The file does not contain duplicates. LinkedIn claims a user base of 161m. This file contains 6.4m unique password hashes. That's 25 users per hash. Given the large amount of password reuse and poor password choices it is not improbable that this is the complete password file. Evidence against that thesis is that password of one person that I've asked is not in the list.

  14. These are not current password Hashs by Jadeinfosy · · Score: 5, Informative

    I changed my LinkedIn password a while back (about a month ago or so) my old password shows up in the Hash not my new password.

  15. Re:So what? by Diomidis+Spinellis · · Score: 4, Informative

    I've occasionally daydreamed a fun academic paper would be to collect sets of password hashes, rub them up against a rainbow table, and make graphs and correlations and wild assumptions about the correlation coeff of IQ and rate of easily cracked pwd vs site etc etc. Sounds like fun so its probably been done before.

    Yes, it's been done on 70 million passwords. See http://www.cl.cam.ac.uk/~jcb82/doc/B12-IEEESP-analyzing_70M_anonymized_passwords.pdf