eHarmony has confirmed that nearly 1.5 million of its users have had their passwords – or more specifically, hashed passwords – stolen by hackers. The popular match-making site may have fallen victim to the same hackers who compromised LinkedIn's password database Wednesday.
It is recommended that any user of eHarmony or LinkedIn, regardless of their account targeted or not, should change their password immediately.
Although eHarmony had the good sense to encrypt their user credentials with 160-bit SHA-1, they failed to salt those password hash values. While 160-bit encryption is theoretically an intractable hurdle for hackers to contend with, without the additional layer of obfuscation provided by salt or HMAC, SHA-1 password hashes become highly susceptible to even the most unsophisticated dictionary-based attacks. This fact holds true regardless of cipher strength for certain types of encryption standards, such as SHA-1 and MD5.
The potential danger of unsalted password hashes is made clear by simply using Google to crack common MD5 password hashes. Unfortunately, this simple method also applies to SHA-1.
Yesterday, the SHA-1 hash values for passwords like "linkedin", "l1nkedin", "linkedout" and "recruiter" were found in a 265MB password hash dump uploaded by hackers. This discovery, although not definitively, served as partial confirmation the list of nearly 6.5 million password hashes belonged to LinkedIn. LinkedIn later confirmed that some users did have their credentials stolen and reset the passwords for those accounts.
With that in mind, suggestive passwords like "eharmony" can also be found within the same file. Speculators are now theorizing that same enormous text file may also contain passwords for eHarmony and even other websites.