background preloader

Linkedin passwords hacked

Facebook Twitter

LinkedIn's Data Breach Settlement Moves Forward 02/03/2015. A federal judge has tentatively approved LinkedIn's $1.25 million settlement of a class-action lawsuit stemming from a 2012 data breach. “The settlement agreement falls within the range of possible approval as fair, reasonable, adequate, and in the best interests of the class,” U.S.

District Court Judge Edward Davila in the Northern District of California wrote in an order issued on Thursday. Davila's order only grants the deal “preliminary” approval, meaning that he could still reject the settlement after a final hearing. The settlement agreement calls for LinkedIn to pay up to $50 to some of the users who purchased premium memberships to the service. The social-networking company also promises that for the next five years, it will protect users' passwords by “salting” and “hashing” them. LinkedIn's paid users can submit a claim, but only if they declare that they read the privacy policy and were influenced by the company's statements about security. TechWeekEurope UKLinkedIn: Password Breach Cost Us As Much As $1m.

The LinkedIn hack and lessons learned. LinkedIn: No accounts hacked as result of stolen passwords. LinkedIn today updated its users on the stolen password fiasco that arose last week in which 6.4 million passwords were illegally obtained and posted on a Russian Web site. According to a blog post from LinkedIn’s Vicente Silveira the company has received no reports that member accounts have been breached as a result of the stolen passwords. Silveira also said that the company is working with the FBI to “aggressively pursue the perpetrators of this crime.”

“First, it’s important to know that compromised passwords were not published with corresponding email logins,” Silveira wrote. “At the time they were initially published, the vast majority of those passwords remained hashed, i.e. encoded, but unfortunately a subset of the passwords was decoded. Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords.

The only information published was the passwords themselves.” Analysis of Passwords Dumped from LinkedIn. I love taking a look at dumped passwords and analyzing them with Pipal by DigiNinja. Pipal is a great analytical program that takes a password dump and looks for patterns, including password lengths and complexities. I have always liked statistics and you can learn a lot from running passwords through Pipal. I took a quick look at Pastebin and found that Stefan Venken (@StefanVenken) had already taken almost a million and a half of the LinkedIn passwords and analyzed them with Pipal.

Here are some of the more interesting results: Password length (length ordered) From this portion of cracked passwords, on average 8 character passwords were the most commonly used. 444,338 users chose passwords that were 8 characters long. In fact, a whopping 69% of the passwords that were cracked were 8 characters, or less… 30% of the cracked passwords only used lowercase letters. Overall, only 1% of the users used passwords that were made up of mixed case letters, numbers and symbols… LinkedIn dials 911 on password mega-leak hackers. High performance access to file storage.

How Charles Dickens helped crack your LinkedIn password. Kevin Young, a computer security expert who studies passwords, is nearly at a loss for words. Literally. Young and his colleagues are working to decode some 2.6 million scrambled LinkedIn passwords, part of a total of 6.1 million released earlier this week on a Russian password cracking forum. Young studies how people pick passwords and how resistant they are to cracking. The data that was released were password hashes, or cryptographic representations of passwords churned through an algorithm called SHA-1.

For example, if a person's password is "Rover" the SHA-1 hash would be "ac54ed2d6c6c938bb66c63c5d0282e9332eed72c. " Converting those hashes into their original passwords is possible using decoding tools and powerful graphics processors. But the longer and more complicated the password -- using sprinklings of capital letters, numbers and symbols -- the longer and harder it is to crack.

That leaves 2.6 million uncracked hashes, which Young and some colleagues have been working to decode. Avoiding Password Breaches 101: Salt Your Hash. “Change your passwords now. Like, every password you use on every website you have ever visited.” You may have heard this advice from tech publications and mainstream rags after password leaks were discovered at LinkedIn, eHarmony and Last.fm. It is a good idea to change passwords at least a couple times a year anyway. But the problem does not lie solely with the users.

It also lies with the way companies approach password security. Since the leaks were revealed, tech pundits have been feigning outrage over LinkedIn’s subpar salting and hashing of passwords. In fact, LinkedIn did not salt passwords at all. For security gurus, this is kind of like “How to Protect Users 101.” A hash is simply a way of organizing large data sets. In simple terms, think of it like this: User + Password --> cryptographic hash function --> unique, unrecognizable data point within a table of data points Passwords that are hashed but not salted become susceptible to brute-force hacking techniques. LinkedIn's security issue reveals obvious: Passwords, users always a weak link. The years change, but the stories remain the same.

Passwords are a crappy defense and most of us use poor ones in exchange for ease of use. Some LinkedIn users had their passwords stolen. Phishing attacks ensued to prey on LinkedIn users. Now eHarmony has had issues. Passwords are regularly swiped from Web mail accounts. The problem: Passwords may be the most imperfect security measure around. Related: LinkedIn password breach: How to tell if you're affected | 6.46 million LinkedIn passwords leaked online Sure, there are encryption techniques, two-factor authentication and other enhanced security measures.

LinkedIn stated the obvious on a blog about its password issues: Our security team continues to investigate this morning’s reports of stolen passwords. LinkedIn sounds like it has a handle on the issue. The password basics are well known: That advice is obvious. In other words, passwords are imperfect. » How To Protect Your Hacked LinkedIn Account.

LinkedIn confirme son piratage, un site de rencontre également touché. Vérifier si son mot de passe LinkedIn a été hacké. La nouvelle est tombée hier : 6,5 millions de mots de passe LinkedIn ont été hackés ! Le malfrat, qui se surnomme dwdm, viendrait de Russie et aurait également volé 1,5 millions de mots de passe du site de rencontre eHarmony. La liste a été publiée en ligne, il est donc important de changer votre mot de passe au plus vite pour éviter tout inconvénient futur… Le site LastPass propose un outil pratique si vous souhaitez savoir si votre compte fait partie de ceux qui ont été hackés. Spécialisé dans les mots de passe (ça tombe bien), il a sorti un espace permettant de rentrer son mot de passe LinkedIn, qui est ensuite crypté en SHA-1 et confronté à la liste des mots de passe divulgués.

Si vous avez effectivement été hacké, LinkedIn a pris les choses en main pour vous faciliter la vie. 'I wish I was dead': Leaked LinkedIn passwords show that not EVERYONE is in love with their job. If it turns out that LinkedIn passwords have leaked... - Unscrewing Security. Unscrewing Security Alec Muffett Subscribe to this blog About Author Alec Muffett is a veteran security geek who believes strongly in common sense, full disclosure, defence in depth, privacy, integrity, simplicity and open source. He is an independent consultant, writer, and speaker specialising in security education. Contact Author Email Alec Twitter Profile Linked-in Profile ...here's what you should do Published 12:31, 06 June 12 Facebook 2 Twitter 3 LinkedIn 0 Google Plus 0 Share This 9 Rumours are circulating on the net that a database of hashes of LinkedIn passwords has been published on a Russian hacker site. I cannot confirm this but if the article referred to above is correct then there is a risk to LinkedIn users; password cracking software such as Hashcat can be brought to bear on the problem, and passwords that are derived from common words and phrases - or which are just too short - can and will be broken.

I'll write more soon, but in the meantime: Updating Your Password on LinkedIn and Other Account Security Best Practices. Our security team continues to investigate this morning’s reports of stolen passwords. At this time, we’re still unable to confirm that any security breach has occurred. You can stay informed of our progress by following us on Twitter @LinkedIn and @LinkedInNews. While our investigation continues, we thought it would be a good idea to remind our members that one of the best ways to protect your privacy and security online is to craft a strong password, to change it frequently (at least once a quarter or every few months) and to not use the same password on multiple sites.

Use this as an opportunity to review all of your account settings on LinkedIn and on other sites too. Here are some account security and privacy best practices that we recommend for our members: Changing Your Password: Creating a Strong Password: A few other account security and privacy best practices to keep in mind are: An Update on LinkedIn Member Passwords Compromised. We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts.

We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts: Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases. We sincerely apologize for the inconvenience this has caused our members. 6.5 Million LinkedIn Password Hashes Leaked. Some observations on this file: 0. This is a file of SHA1 hashes of short strings (i.e. passwords). 1. There are 3,521,180 hashes that begin with 00000. I believe that these represent hashes that the hackers have already broken and they have marked them with 00000 to indicate that fact.

Evidence for this is that the SHA1 hash of 'password' does not appear in the list, but the same hash with the first five characters set to 0 is. 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 is not present 000001e4c9b93f3f0682250b6cf8331b7ee68fd8 is present Same story for 'secret': e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 is not present 00000a1ba31ecd1ae84f75caaa474f3a663f05f4 is present And for 'linkedin': 7728240c80b6bfd450849405e8500d6d207783b6 is not present 0000040c80b6bfd450849405e8500d6d207783b6 is present 2. 3. 4. 5. For the security novices amongst us: I had no idea how to do this so I figured out a quick python script to test it: Obligatory perl one-liner: (for people without shells) Or prompt for it: 2 years? LinkedIn confirms 'some' passwords leaked. Computerworld - In response to widespread reports of a massive data breach at LinkedIn, the company Wednesday confirmed that passwords belonging to "some" of its members have been compromised.

In a carefully worded blog post, LinkedIn director Vicente Silveira said the company has confirmed that an unspecified number of hashed passwords posted publicly on a Russian hacker forum earlier this week, "correspond to LinkedIn accounts. " Silveira made no mention of how the passwords may have ended up on the forums but noted that LinkedIn is continuing to investigate.

"Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid," Silveria said. Users of the social networking site for professionals will also receive an email from LinkedIn with instructions on how to reset their passwords.

The email will not contain any links that users will need to click on to reset their password, he noted. More than 6 million LinkedIn passwords likely stolen - Jun. 6. Researchers say a stash of what appear to be LinkedIn passwords were protected by a weak security scheme. NEW YORK (CNNMoney) -- Russian hackers released a giant list of passwords this week, and on Wednesday security researchers identified their likely source: business social networking site LinkedIn.

LinkedIn (LNKD) confirmed in a blog post late Wednesday afternoon that some of the stolen passwords correspond to LinkedIn accounts. The company did not offer any information about how the passwords were stolen or the extent of the damage, but it said it is "continuing to investigate" the matter. Dating site eHarmony also announced Wednesday that some of its users' passwords were stolen in the attack. The 6.5 million leaked passwords were posted Monday on a Russian online forum, camouflaged with a common cryptographic code called SHA-1 hash. It's a format that's considered weak if added precautions aren't taken. Countless passwords on the list contain the word "linkedin. " If LinkedIn Hasn't Fixed Its Massive Security Breach, A New Password May Not Be Enough. Change Your LinkedIn Password Right Now! Two Security Firms Say They Verified LinkedIn Breach - Digits. Change Your LinkedIn Password Immediately. Don't Worry About LinkedIn's Calendar Sync.