Potential leak of 6.5+ million LinkedIn password hashes
Reports originally surfaced in Norway overnight that about 6.5 million unsalted SHA-1 password hashes had been posted to a Russian site with a request for assistance in cracking them. Several highly trusted security researchers have confirmed that the hashes posted include those of passwords they use exclusively on LinkedIn. There are no usernames associated with the hashes and a number of us have confirmed that our passwords are NOT included, but this seems serious enough to merit a recommendation that LinkedIn users change their passwords. The folks from LinkedIn have posted to twitter that they are investigating and further information will be forthcoming.
Update: (2012-06-06 20:00 UTC--JC) Okay, some have asked if we have recommendations. Other than change your password now and don't use the same password on multiple accounts, all we can really recommend at the moment is wait and see. LinkedIn is reporting they see no evidence of a breach at the moment, but the investigation is still pretty early (in my opinion). Once you've changed this password (and the passwords on any other accounts where you used this one), wait for a while. Once we figure out what happened here, you'll probably need to change it again. We'll save a rehash of password policies and the secure handling of passwords within databases and applications for a future diary. In the meantime, I'm adding a few links to some other password-related diaries we've done that seem appropriate to review today
Update 2: (2012-06-06 20:10 UTC--JC) No sooner do I do the previous update then I discover an official response from LinkedIn.
References:
http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
Also see @thorsheim on twitter.
Some previous password diaries that might be of interest:
Critical Control 11: Account Monitoring and Control
Theoretical and Practical Password Entropy
An Impromptu Lesson on Passwords
Password Rules: Change them every 25 years (or when you know the target has been compromised)
I'm sure I've missed a couple of good ones, but these are a decent place to start --JC
---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
LINUX Incident Response and Threat Hunting | Online | US Eastern | Jan 29th - Feb 3rd 2025 |
Comments
Al of Your Data Center
Jun 6th 2012
1 decade ago
VR
Jun 7th 2012
1 decade ago
EVVJSK
Jun 7th 2012
1 decade ago
dsh
Jun 7th 2012
1 decade ago
Anon
Jun 7th 2012
1 decade ago
http://mjddesign.wordpress.com
Matthew
Jun 7th 2012
1 decade ago
Jim
Jun 7th 2012
1 decade ago
Alex
Jun 7th 2012
1 decade ago
mbrownnyc
Jun 8th 2012
1 decade ago
Although the company should have found the intrusion themselves, it doesn't surprise me that it was found on InsidePRO, which is the website for the group that created PasswordsPRO, which is usually regarded as one of the best free hash crackers. If you follow different websites that do get exploited into, it usually isn't until something breaks or someone steps forward that it gets pointed out. Even Symantec didn't believe they had an intrusion in 2006 until hackers years later claimed to have part of thier source code.
Darren
Jun 8th 2012
1 decade ago