LinkedIn password database leaked, company confirms intrusion

Rick

Posts: 4,512   +66
Staff

LinkedIn may have suffered a serious blow in terms of the security and safety of its users today. Hackers claim to have leaked over 6.5 million password hashes originating from the career-focused social networking site. Although the hash values appear to indicate LinkedIn had protected user passwords with SHA-1 encryption, the company did not salt user passwords. This could be a major issue, but more on this later.

At the time of this writing, LinkedIn has yet to confirm a security breach has taken place. The company has informed users that an investigation is under; however, some users on Twitter are claiming they have already found their password's hash in the 265MB text file. This may not be unexpected, but some of those users also claim to have fairly long, complex passwords. Finding hashes for such unique passwords in the hash dump could act as confirmation.

Passwords encrypted with SHA-1, without the aid of HMAC or salting, always produce the same hash values for the same passwords. For example, the password "linkedin" will always generate the following value: 7728240c80b6bfd450849405e8500d6d207783b6. This makes dictionary attacks far more effective than they ought to be, as password hash databases can be downloaded and computed locally. 

As a result, "cracking" a common MD5 or SHA-1 password hash value may only be a Google search away. Salting, on the other hand, adds a random element which minimizes such attacks.

Interestingly, the hash value for "linkedin" isn't in the file, but if you replace the first five characters with zeros, it is. This may sound like a fluke, but the same applies not only to other common passwords (I.e. password, passw0rd, secret) but for uncommon ones like "l1nkedin", "linkedout", "recruiter", "recru1ter" and more. The odd specificity of these passwords does help support the file's authenticity.

At 160-bit cypher strength, attempting to programmatically decrypt a SHA-1 password hash is, for all intents and purposes, an intractable proposition. However, conjuring up a random passwords and turning them into SHA-1 hash values takes but a tiny fraction of a second. Thus, creating passwords and comparing their hashes against a list of stolen passwords is a very simple method for hackers to work around encrypted passwords.

LinkedIn users are urged to change their passwords immediately, regardless of whether or not their account was compromised.

Update: LinkedIn confirms some accounts were compromised. Identified users will be prompted to change their passwords then next time they log on. LinkedIn also added that they have recently begun salting passwords.

Permalink to story.

 
Great...and I just joined 2 days ago. Absolutely fantastic!
now to have a look...
 
I'm worried about using the same password for sites, as long as other sites utilize random salting it won't be so bad right?
 
I'm worried about using the same password for sites, as long as other sites utilize random salting it won't be so bad right?
Horse has already bolted. If you use the same password, a dictionary attack on these hashes will give them the password then it doesn't matter if other sites salt or use SHA-512 or whatever...

Really it's just smart security to use a salt for ANY hash algorithm or symmetric or asymmetric cryptography...
 
It's incredible that LinkedIn failed to use a salt. That makes attacks 6.5 million times faster, assuming the attacker tries dictionary entries against each of the 6.5 million hashes. The difference is even worse if the attacker already has a file of SHA-1 hashes of every entry in his dictionary.

It's equally incredible that they just used SHA-1. They should have used something slower, such as iterating SHA-1 a million times, which would have made the attack slower by another factor of a million.

It's also bad that they used the actual SHA-1 algorithm rather than a slight variant, in order to prevent attackers from using existing libraries or hardware implementations of SHA-1.

This isn't rocket science. We've known these things for decades. What this really shows is that LinkedIn never bothered to hire even one person who understands computer security to review their security plans. That mistake is MUCH worse than the other mistakes. It means they simply don't care about the security of their users. Period.
 
[FONT=Tahoma]If you're worried just log into your account / settings using this link https://www.linkedin.com/settings/?trk=hb_acc or go to the top right hand corner and it's under your name :) [/FONT]

[FONT=Tahoma] [/FONT]

[FONT=Tahoma]Then under your primary email address is password change and set a new one, heh presto fixed - move along :)[/FONT]

[FONT=Tahoma] [/FONT]

[FONT=Tahoma]James[/FONT]

[FONT=Tahoma]The Linked In Man[/FONT]
 
I just finished an it security class, and while not claiming to be an expert, it certainly made me rethink my proposed entry into the field. just because they didn't try any variations of sha-1, or salting the hashes doesn't mean they don't have security experts. our instructor told us that even though you have all of these security measures that work, doesn't mean that the ceo's will use them. so while the breach is unexcusable, don't jump to conclusions and blame the security folks.
 
Maybe I'm ignorant here, but what good is having a password if you don't have a username/email to tied to it?
 
@Guest maybe the hackers didn't release the usernames only the hashes just to show that they were indeed hacked
 
I actually have to thank Linkedin, I had been thinking about changing my passwords to something more secure, and random for each site. Now I have a password manager in place, and all the sites have secure passwords (even some sites I almost forgot before).

So thanks LinkedIn, you kicked me in the pants to finally do something about it.
 
Back