My next class:

Potential leak of 6.5+ million LinkedIn password hashes

Published: 2012-06-06. Last Updated: 2012-06-06 20:12:49 UTC
by Jim Clausing (Version: 3)
11 comment(s)

Reports originally surfaced in Norway overnight that about 6.5 million unsalted SHA-1 password hashes had been posted to a Russian site with a request for assistance in cracking them.  Several highly trusted security researchers have confirmed that the hashes posted include those of passwords they use exclusively on LinkedIn.  There are no usernames associated with the hashes and a number of us have confirmed that our passwords are NOT included, but this seems serious enough to merit a recommendation that LinkedIn users change their passwords.  The folks from LinkedIn have posted to twitter that they are investigating and further information will be forthcoming.

Update: (2012-06-06 20:00 UTC--JC) Okay, some have asked if we have recommendations.  Other than change your password now and don't use the same password on multiple accounts, all we can really recommend at the moment is wait and see.  LinkedIn is reporting they see no evidence of a breach at the moment, but the investigation is still pretty early (in my opinion).  Once you've changed this password (and the passwords on any other accounts where you used this one), wait for a while.  Once we figure out what happened here, you'll probably need to change it again.  We'll save a rehash of password policies and the secure handling of passwords within databases and applications for a future diary.  In the meantime, I'm adding a few links to some other password-related diaries we've done that seem appropriate to review today

Update 2: (2012-06-06 20:10 UTC--JC) No sooner do I do the previous update then I discover an official response from LinkedIn.

References:

http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/

http://thenextweb.com/socialmedia/2012/06/06/bad-day-for-linkedin-6-5-million-hashed-passwords-reportedly-leaked-change-yours-now/

Also see @thorsheim on twitter.

Some previous password diaries that might be of interest:

Critical Control 11: Account Monitoring and Control

Theoretical and Practical Password Entropy

An Impromptu Lesson on Passwords

Password Rules: Change them every 25 years (or when you know the target has been compromised)

I'm sure I've missed a couple of good ones, but these are a decent place to start --JC

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

11 comment(s)
My next class:

Comments

You can bet the attackers have the user names to match. Why would they allow anyone who cracks the hash to have all that data? It is theirs, and no doubt worth a lot to them, and to others. This is a big one! Perhaps now someone will create a law requiring some more security when a site has a large membership. The pot of gold should be regulated as to how security is applied just as much as full disclosure rules for hacks and customer private data loss should be implemented and enforced.
When I was creating a linkedin account approx 2 years ago, my password was limited to 15 characters. They would not accept a longer password.
I like the official response, especially when they say there will be no links in the email. Hopefully word gets out about that, because you know a bunch of spammers will try and take advantage with emails with bad links. Finally, I hope LinkeIn checked carefully for Trojans on their site and other ongoing vulnerabilities.
LeakedIn app available at http://leakedin.org/ will tell you if your LinkedIn password was compromised.
The list is real and has been posted in several locations. It contains about 6.5 million SHA1 hashes and whoever started cracking them put leading zeros in front of the ones already cracked. So if you want to check, get a copy and check the last 5 to 8 parts of the hash.
You would think of all the problems today with secure information being leaked that they would have been a bit more secure and aware, rather then finding out from a Russian site.

http://mjddesign.wordpress.com
I'd be very wary of using any of the websites that claim to tell you if your password is compromised. If it wasn't before you checked it is after. :( The list is available and you can check for yourself.
It seems the blackhats have been busy, if anyone is (or was) a member of last.fm (music social networking, bigger in Europe than North America I think) they might want to know that they've been done over as well: http://www.last.fm/passwordsecurity
Here's a thorough analysis I came across: http://www.bkeyes.com/blog/?p=167
@Matthew;

Although the company should have found the intrusion themselves, it doesn't surprise me that it was found on InsidePRO, which is the website for the group that created PasswordsPRO, which is usually regarded as one of the best free hash crackers. If you follow different websites that do get exploited into, it usually isn't until something breaks or someone steps forward that it gets pointed out. Even Symantec didn't believe they had an intrusion in 2006 until hackers years later claimed to have part of thier source code.

Diary Archives