LinkedIn may have suffered a serious blow in terms of the security and safety of its users today. Hackers claim to have leaked over 6.5 million password hashes originating from the career-focused social networking site. Although the hash values appear to indicate LinkedIn had protected user passwords with SHA-1 encryption, the company did not salt user passwords. This could be a major issue, but more on this later.
At the time of this writing, LinkedIn has yet to confirm a security breach has taken place. The company has informed users that an investigation is under; however, some users on Twitter are claiming they have already found their password's hash in the 265MB text file. This may not be unexpected, but some of those users also claim to have fairly long, complex passwords. Finding hashes for such unique passwords in the hash dump could act as confirmation.
Passwords encrypted with SHA-1, without the aid of HMAC or salting, always produce the same hash values for the same passwords. For example, the password "linkedin" will always generate the following value: 7728240c80b6bfd450849405e8500d6d207783b6. This makes dictionary attacks far more effective than they ought to be, as password hash databases can be downloaded and computed locally.
As a result, "cracking" a common MD5 or SHA-1 password hash value may only be a Google search away. Salting, on the other hand, adds a random element which minimizes such attacks.
Interestingly, the hash value for "linkedin" isn't in the file, but if you replace the first five characters with zeros, it is. This may sound like a fluke, but the same applies not only to other common passwords (i.e. password, passw0rd, secret) but for uncommon ones like "l1nkedin", "linkedout", "recruiter", "recru1ter" and more. The odd specificity of these passwords does help support the file's authenticity.
At 160-bit cypher strength, attempting to programmatically decrypt a SHA-1 password hash is, for all intents and purposes, an intractable proposition. However, conjuring up a random passwords and turning them into SHA-1 hash values takes but a tiny fraction of a second. Thus, creating passwords and comparing their hashes against a list of stolen passwords is a very simple method for hackers to work around encrypted passwords.
LinkedIn users are urged to change their passwords immediately, regardless of whether or not their account was compromised.
Update: LinkedIn confirms some accounts were compromised. Identified users will be prompted to change their passwords then next time they log on. LinkedIn also added that they have recently begun salting passwords.