Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Potential leak of 6.5+ million LinkedIn password hashes - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Potential leak of 6.5+ million LinkedIn password hashes

Reports originally surfaced in Norway overnight that about 6.5 million unsalted SHA-1 password hashes had been posted to a Russian site with a request for assistance in cracking them.  Several highly trusted security researchers have confirmed that the hashes posted include those of passwords they use exclusively on LinkedIn.  There are no usernames associated with the hashes and a number of us have confirmed that our passwords are NOT included, but this seems serious enough to merit a recommendation that LinkedIn users change their passwords.  The folks from LinkedIn have posted to twitter that they are investigating and further information will be forthcoming.

References:

http://thenextweb.com/socialmedia/2012/06/06/bad-day-for-linkedin-6-5-million-hashed-passwords-reportedly-leaked-change-yours-now/

Also see @thorsheim on twitter.

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Jim

402 Posts
ISC Handler
You can bet the attackers have the user names to match. Why would they allow anyone who cracks the hash to have all that data? It is theirs, and no doubt worth a lot to them, and to others. This is a big one! Perhaps now someone will create a law requiring some more security when a site has a large membership. The pot of gold should be regulated as to how security is applied just as much as full disclosure rules for hacks and customer private data loss should be implemented and enforced.
Al of Your Data Center

80 Posts
When I was creating a linkedin account approx 2 years ago, my password was limited to 15 characters. They would not accept a longer password.
Al of Your Data Center
2 Posts
I like the official response, especially when they say there will be no links in the email. Hopefully word gets out about that, because you know a bunch of spammers will try and take advantage with emails with bad links. Finally, I hope LinkeIn checked carefully for Trojans on their site and other ongoing vulnerabilities.
Al of Your Data Center
20 Posts
LeakedIn app available at http://leakedin.org/ will tell you if your LinkedIn password was compromised.
Dean

135 Posts
The list is real and has been posted in several locations. It contains about 6.5 million SHA1 hashes and whoever started cracking them put leading zeros in front of the ones already cracked. So if you want to check, get a copy and check the last 5 to 8 parts of the hash.
Dean
1 Posts
You would think of all the problems today with secure information being leaked that they would have been a bit more secure and aware, rather then finding out from a Russian site.

http://mjddesign.wordpress.com
Matthew

15 Posts
I'd be very wary of using any of the websites that claim to tell you if your password is compromised. If it wasn't before you checked it is after. :( The list is available and you can check for yourself.
Jim

402 Posts
ISC Handler
It seems the blackhats have been busy, if anyone is (or was) a member of last.fm (music social networking, bigger in Europe than North America I think) they might want to know that they've been done over as well: http://www.last.fm/passwordsecurity
Alex

19 Posts
Here's a thorough analysis I came across: http://www.bkeyes.com/blog/?p=167
mbrownnyc

19 Posts
@Matthew;

Although the company should have found the intrusion themselves, it doesn't surprise me that it was found on InsidePRO, which is the website for the group that created PasswordsPRO, which is usually regarded as one of the best free hash crackers. If you follow different websites that do get exploited into, it usually isn't until something breaks or someone steps forward that it gets pointed out. Even Symantec didn't believe they had an intrusion in 2006 until hackers years later claimed to have part of thier source code.
mbrownnyc
2 Posts
When I salt+hash a password, where should I store the salt? Can it be in the next column over from the hash digest? Or does salt need to be stored in a separate table or DB? I’m having trouble getting a consistent answer on this. Even OWASP’s documentation is contradictory… one doc says I can store the salt right next to digest, while another doc says to store salt somewhere else.
mbrownnyc
1 Posts

Sign Up for Free or Log In to start participating in the conversation!