Linkedin Massive Data Breach – 6.5M accounts leaked

Though “unsalted hash” sounds more like a menu item for the sodium-conscious, it’s actually a reason to change your LinkedIn password.

Linkedin may help around five or six people a year get a new job, but mostly it’s a breeding ground for slimy recruiters and pointless networking groups. Well now it’s become even more irritating as an estimated 6.5 million of our passwords have been leaked online, according to The Independent.

The news comes in the wake of security concerns surrounding LinkedIn’s mobile application calendar feature. A report began circulating in which LinkedIn was violating its own user privacy policy by sending detailed calendar entries to its servers. The company said on Wednesday that it was in the process of updating the app, after researchers noticed a flaw in the way the app shared potentially sensitive “meeting notes” data.

Reports are suggesting that a Russian hacker published a list of the passwords online and LinkedIn_logois reportedly “crowd-sourcing help in breaking the encryption.” Linkedin has responded to the allegations with a number of tweets stating that the breach hasn’t been confirmed, but the team’s looking into the problems right away.

There is a possibility that this could be a hoax, but several people have said on Twitter that they found their real LinkedIn passwords as hashes on the list. Many of the hashes include “linkedin,” which seems to add credence to the claims.

Graham Cluley, a consultant with U.K. web security company Sophos, said in a blog post that investigations by Sophos researchers have confirmed that the file does contain, in part, LinkedIn passwords. It’s worth noting that the passwords are stored as unsalted SHA-1 hashes. SHA-1 is a secure algorithm, but is not foolproof. LinkedIn could have made the passwords more secure by ‘salting’ the hashes, which involves merging the hashed password with another combination and then hashing for a second time. Even so, unless your password is a dictionary word, or very simple, it will take some time to crack.

According to ZDNet, Finnish security firm CERT-FI is warning that the hackers may have access to user email addresses, too, “though they appear encrypted and unreadable.”

Robert Graham has posted a web form that converts your password to an SHA-1 password for lookup and provides a link to the file of LinkedIn passwords that were dumped on the Internet so you can download and see if yours is in there.

I’ve also written a Python script that does the same, but you need the password file to be in the same folder. You can get it from here.

If you haven’t already, you should change your LinkedIn password and email login, certainly before you use this tool.

There are a few lessons from this:

  1. Never ask users to have their email ID as a user ID. This would lead to a user email getting known and the user becoming a victim of spam later on.
  2. A single password for multiple sites and and email ID as the User ID is a disaster for those who have the same password everywhere.
  3. Do not put up too much personal information on social networking sites. The problem here is, taking social network sites too seriously could lead to issues in case of hacks like these.

And it is true…. only the paranoid survive.

facebook google+ twitter Image Map

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s