|
Reports originally surfaced in Norway overnight that about 6.5 million unsalted SHA-1 password hashes had been posted to a Russian site with a request for assistance in cracking them. Several highly trusted security researchers have confirmed that the hashes posted include those of passwords they use exclusively on LinkedIn. There are no usernames associated with the hashes and a number of us have confirmed that our passwords are NOT included, but this seems serious enough to merit a recommendation that LinkedIn users change their passwords. The folks from LinkedIn have posted to twitter that they are investigating and further information will be forthcoming. References: Also see @thorsheim on twitter. --------------- |
Jim 423 Posts ISC Handler Jun 6th 2012 |
| Thread locked Subscribe |
Jun 6th 2012 1 decade ago |
|
You can bet the attackers have the user names to match. Why would they allow anyone who cracks the hash to have all that data? It is theirs, and no doubt worth a lot to them, and to others. This is a big one! Perhaps now someone will create a law requiring some more security when a site has a large membership. The pot of gold should be regulated as to how security is applied just as much as full disclosure rules for hacks and customer private data loss should be implemented and enforced.
|
Al of Your Data Center 80 Posts |
| Quote |
Jun 6th 2012 1 decade ago |
|
When I was creating a linkedin account approx 2 years ago, my password was limited to 15 characters. They would not accept a longer password.
|
Al of Your Data Center 2 Posts |
| Quote |
Jun 7th 2012 1 decade ago |
|
I like the official response, especially when they say there will be no links in the email. Hopefully word gets out about that, because you know a bunch of spammers will try and take advantage with emails with bad links. Finally, I hope LinkeIn checked carefully for Trojans on their site and other ongoing vulnerabilities.
|
Al of Your Data Center 20 Posts |
| Quote |
Jun 7th 2012 1 decade ago |
|
LeakedIn app available at http://leakedin.org/ will tell you if your LinkedIn password was compromised.
|
Dean 135 Posts |
| Quote |
Jun 7th 2012 1 decade ago |
|
The list is real and has been posted in several locations. It contains about 6.5 million SHA1 hashes and whoever started cracking them put leading zeros in front of the ones already cracked. So if you want to check, get a copy and check the last 5 to 8 parts of the hash.
|
Dean 1 Posts |
| Quote |
Jun 7th 2012 1 decade ago |
|
You would think of all the problems today with secure information being leaked that they would have been a bit more secure and aware, rather then finding out from a Russian site.
http://mjddesign.wordpress.com |
Matthew 15 Posts |
| Quote |
Jun 7th 2012 1 decade ago |
|
I'd be very wary of using any of the websites that claim to tell you if your password is compromised. If it wasn't before you checked it is after. :( The list is available and you can check for yourself.
|
Jim 423 Posts ISC Handler |
| Quote |
Jun 7th 2012 1 decade ago |
|
It seems the blackhats have been busy, if anyone is (or was) a member of last.fm (music social networking, bigger in Europe than North America I think) they might want to know that they've been done over as well: http://www.last.fm/passwordsecurity
|
Alex 19 Posts |
| Quote |
Jun 7th 2012 1 decade ago |
|
Here's a thorough analysis I came across: http://www.bkeyes.com/blog/?p=167
|
mbrownnyc 19 Posts |
| Quote |
Jun 8th 2012 1 decade ago |
|
@Matthew;
Although the company should have found the intrusion themselves, it doesn't surprise me that it was found on InsidePRO, which is the website for the group that created PasswordsPRO, which is usually regarded as one of the best free hash crackers. If you follow different websites that do get exploited into, it usually isn't until something breaks or someone steps forward that it gets pointed out. Even Symantec didn't believe they had an intrusion in 2006 until hackers years later claimed to have part of thier source code. |
mbrownnyc 2 Posts |
| Quote |
Jun 8th 2012 1 decade ago |
|
When I salt+hash a password, where should I store the salt? Can it be in the next column over from the hash digest? Or does salt need to be stored in a separate table or DB? I’m having trouble getting a consistent answer on this. Even OWASP’s documentation is contradictory… one doc says I can store the salt right next to digest, while another doc says to store salt somewhere else.
|
mbrownnyc 1 Posts |
| Quote |
Jun 14th 2012 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
