Linkedin passwords hacked
Get flash to fully experience Pearltrees
LinkedIn’s password breach costs the firm a lot, but company claims damage was not significant LinkedIn has confirmed the password theft that rocked the social networking company cost it between $500,000 and $1 million. In June, 6.5 million passwords were stolen and published online. Although protected with SHA-1 hashes, there was no salting, meaning the hackers were able to crack some of the login details.
<label for="Password">Password:</label> Request new password View original | Forward
LinkedIn today updated its users on the stolen password fiasco that arose last week in which 6.4 million passwords were illegally obtained and posted on a Russian Web site. According to a blog post from LinkedIn’s Vicente Silveira the company has received no reports that member accounts have been breached as a result of the stolen passwords. Silveira also said that the company is working with the FBI to “aggressively pursue the perpetrators of this crime.” “First, it’s important to know that compromised passwords were not published with corresponding email logins,” Silveira wrote. “At the time they were initially published, the vast majority of those passwords remained hashed, i.e. encoded, but unfortunately a subset of the passwords was decoded. Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords.
I love taking a look at dumped passwords and analyzing them with Pipal by DigiNinja. Pipal is a great analytical program that takes a password dump and looks for patterns, including password lengths and complexities. I have always liked statistics and you can learn a lot from running passwords through Pipal. I took a quick look at Pastebin and found that Stefan Venken (@StefanVenken) had already taken almost a million and a half of the LinkedIn passwords and analyzed them with Pipal.
LinkedIn has turned to the FBI for help after 6.5 million of its users' passwords were dumped online by hackers. The business network said "a small subset" of the hashed data had been deduced and revealed, but the rest is "hard to decode". Security biz Sophos estimated that as much as 60 per cent of the leaked list had been cracked. It is relatively trivial to work out the original passwords from the unsalted SHA-1 hashes, and LinkedIn has tacitly reiterated that it is upping its database security by sprinkling in some cryptographic salt. The social network for suits is still silent on what other information the hackers may have lifted. It gave a somewhat slippery statement to the effect that punters' email addresses have not been revealed - as far as it knows - which doesn't answer the question of whether or not that information was stolen.
Kevin Young, a computer security expert who studies passwords, is nearly at a loss for words. Literally. Young and his colleagues are working to decode some 2.6 million scrambled LinkedIn passwords, part of a total of 6.1 million released earlier this week on a Russian password cracking forum. Young studies how people pick passwords and how resistant they are to cracking. The data that was released were password hashes, or cryptographic representations of passwords churned through an algorithm called SHA-1. For example, if a person's password is "Rover" the SHA-1 hash would be "ac54ed2d6c6c938bb66c63c5d0282e9332eed72c."
“Change your passwords now. Like, every password you use on every website you have ever visited.”
The years change, but the stories remain the same. Passwords are a crappy defense and most of us use poor ones in exchange for ease of use. Some LinkedIn users had their passwords stolen. Phishing attacks ensued to prey on LinkedIn users. Now eHarmony has had issues.
La nouvelle est tombée hier : 6,5 millions de mots de passe LinkedIn ont été hackés ! Le malfrat, qui se surnomme dwdm, viendrait de Russie et aurait également volé 1,5 millions de mots de passe du site de rencontre eHarmony. La liste a été publiée en ligne, il est donc important de changer votre mot de passe au plus vite pour éviter tout inconvénient futur…
Passwords for 'work' network include 'hopeless' and 'ihatemyjob' Security site lets users check their passwords Experts advise users change passwords immediately
Unscrewing Security Alec Muffett Subscribe to this blog About Author Alec Muffett is a veteran security geek who believes strongly in common sense, full disclosure, defence in depth, privacy, integrity, simplicity and open source.
Vicente Silveira , June 6, 2012 Our security team continues to investigate this morning’s reports of stolen passwords. At this time, we’re still unable to confirm that any security breach has occurred.
Vicente Silveira , June 6, 2012 We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts.
Some observations on this file: 0. This is a file of SHA1 hashes of short strings (i.e. passwords). 1. There are 3,521,180 hashes that begin with 00000.
Computerworld - In response to widespread reports of a massive data breach at LinkedIn, the company Wednesday confirmed that passwords belonging to "some" of its members have been compromised. In a carefully worded blog post , LinkedIn director Vicente Silveira said the company has confirmed that an unspecified number of hashed passwords posted publicly on a Russian hacker forum earlier this week, "correspond to LinkedIn accounts." Silveira made no mention of how the passwords may have ended up on the forums but noted that LinkedIn is continuing to investigate. "Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid," Silveria said. Users of the social networking site for professionals will also receive an email from LinkedIn with instructions on how to reset their passwords.