mersenneforum.org - LinkedIn password database was stolen and posted publically

mersenneforum.org (https://www.mersenneforum.org/index.php)

- Lounge (https://www.mersenneforum.org/forumdisplay.php?f=7)

- - LinkedIn password database was stolen and posted publically (https://www.mersenneforum.org/showthread.php?t=16881)

LinkedIn password database was stolen and posted publically

[SIZE=3][FONT=Calibri]Please be aware that it is being reported that the LinkedIn password database was stolen and posted publically early this morning. [/FONT][/SIZE]

[B][SIZE=3][FONT=Calibri]If you use LinkedIn, your password needs to be considered compromised, [U]as well as any other site you use this password for[/U]. It’s critical for you that these passwords be changed as soon as possible.[/FONT][/SIZE][/B]

[SIZE=3][FONT=Calibri]The standard progression of this type of attack is:[/FONT][/SIZE]
[FONT=Calibri][FONT=Calibri][SIZE=3]1.[/SIZE][/FONT] [/FONT][SIZE=3][FONT=Calibri]Hackers post password hashes publically. [I](Done)[/I][/FONT][/SIZE]
[FONT=Calibri][FONT=Calibri][SIZE=3]2.[/SIZE][/FONT] [/FONT][SIZE=3][FONT=Calibri]Criminal groups work together to rapidly crack and recover passwords. Depending on how complex your password was will determine how much time you have to change it. [I](In progress now)[/I][/FONT][/SIZE]
[FONT=Calibri][FONT=Calibri][SIZE=3]3.[/SIZE][/FONT] [/FONT][SIZE=3][FONT=Calibri]Cracked accounts are then used to automatically attempt logins to more critical sites (PayPal, Amazon, banks, emails services) for further financial theft, identity theft, and/or privacy compromise. [/FONT][/SIZE]
[FONT=Calibri][SIZE=3]___________________________________________[/SIZE][/FONT]

[FONT=Calibri][SIZE=3](Came from our IT. I haven't verified this. See [URL="http://www.pcworld.com/article/257045/65m_linkedin_passwords_posted_online_after_apparent_hack.html"]PC World[/URL] and other sources.)[/SIZE][/FONT]

[QUOTE=Batalov;301457][SIZE=3][FONT=Calibri]Please be aware that it is being reported that the LinkedIn password database was stolen and posted publically early this morning. [/FONT][/SIZE]

[B][SIZE=3][FONT=Calibri]If you use LinkedIn, your password needs to be considered compromised, [U]as well as any other site you use this password for[/U]. It’s critical for you that these passwords be changed as soon as possible.[/FONT][/SIZE][/B]

[SIZE=3][FONT=Calibri]The standard progression of this type of attack is:[/FONT][/SIZE]
[FONT=Calibri][FONT=Calibri][SIZE=3]1.[/SIZE][/FONT] [/FONT][SIZE=3][FONT=Calibri]Hackers post password hashes publically. [I](Done)[/I][/FONT][/SIZE]
[FONT=Calibri][FONT=Calibri][SIZE=3]2.[/SIZE][/FONT] [/FONT][SIZE=3][FONT=Calibri]Criminal groups work together to rapidly crack and recover passwords. Depending on how complex your password was will determine how much time you have to change it. [I](In progress now)[/I][/FONT][/SIZE]
[FONT=Calibri][FONT=Calibri][SIZE=3]3.[/SIZE][/FONT] [/FONT][SIZE=3][FONT=Calibri]Cracked accounts are then used to automatically attempt logins to more critical sites (PayPal, Amazon, banks, emails services) for further financial theft, identity theft, and/or privacy compromise. [/FONT][/SIZE]
[FONT=Calibri][SIZE=3]___________________________________________[/SIZE][/FONT]

[FONT=Calibri][SIZE=3](Came from our IT. I haven't verified this. See [URL="http://www.pcworld.com/article/257045/65m_linkedin_passwords_posted_online_after_apparent_hack.html"]PC World[/URL] and other sources.)[/SIZE][/FONT][/QUOTE]A few further details follow.

First, only 6.4 million password hashes have been released, out of a total of more than 150M. I have a copy of this file.

Second, only the hashes have been released (so far) and not the accounts to which they correspond.

Third, only around 250K plaintext passwords have been released in parallel with their SHA1 hashes. So far, I've only found a single file which contains about 160K of them; the others are reported to be out there but I've not yet found them.

Fourth, there are very good grounds to suspect that only those accounts accessed through a iOS app have been compromised.

My take:

First, if your password hashes to one of those in the list you should undoubtedly change your password. On Linux this can be checked with sha1sum (*).

Second, if you've used an iOS app to access LinkedIn you should probably change your password.

Third, if a list of usernames corresponding to the hashes appears and your name is in that list, you should undoubtedly change your password whether or not your password appears in the list of those recovered.

Paul

(*) I verified that the hash of my LinkedIn password is not in the list of hashes by first typing my password into a file and editing that file to ensure that there was no extraneous whitespace, including any terminal newline. Then I ran "sha1sum passwd_file" to find the hash. A quick grep for that hash in the the compromised hashes file turned up nothing. I verified the procedure by using a known password/hash pair taken from the file of 160K compromised examples.

Thanks for the heads-up. I've changed my password just to be on the safe side.

Where did you get the list of hashes and/or the compromised ones?

[QUOTE=ixfd64;301470]Thanks for the heads-up. I've changed my password just to be on the safe side.[/QUOTE]

can't even remember mine. apparently even though I got messages it can't even find my emails in it's database.

So, how do they get passwords from the hashes; dictionary attack?

[QUOTE=TObject;301479]So, how do they get passwords from the hashes; dictionary attack?[/QUOTE]Fundamentally, yes.

There are a number of time-memory trade-offs which may be used for cracking multiple hashes. For instance, the minimum memory trade-off runs the entire dictionary against each hash. The minimum-time version precomputes the hashes of each word in the dictionary and stores the result. Thereafter cracking a hashed password is a simple table look-up. Finding out what the term "rainbow table" means will teach you something about a particularly important intermediate case.

Paul

How can I get access to the file so I can check if my password is in there? I'm changing it anyway but I wish to be certain

I found a site to check

[URL]http://leakedin.org/[/URL]

Use at your own risk

[URL]http://www.siliconrepublic.com/new-media/item/27637-leakedin-org-claims-to-let/[/URL]

Be careful not to blame Rainbow Tables. They are just a tool, as GNFS is just a tool. Attacks based on the ideas of Rainbow Tables have been known for at least 30 years.

Defending against Rainbow Tables is trivially accomplished by use of a well-salted hash. There's really no excuse LinkedIn didn't salt the password hashes.

BTW, an enterprising group has placed a tool online to let you check if your password has been exposed. Check out [URL="http://leakedin.org"]leakedin.org[/URL].

DON"T SUPPLY YOUR OWN PASSWORD OR YOUR OWN PASSWORD HASH. The (unsalted) hashed password will be sent unencrypted via the Internet, and the Web Site at the other end, if they are nefarious, has the option of keeping your password hash.

However, to see the scope of the released passwords, you can try entering dictionary words. Or try the names of your favorite contributors from these forums. 6.5 million is a lot of passwords, and LinkedIn users evidently pick some pretty awful passwords.

[URL]http://security.stackexchange.com/questions/15765/is-it-safe-to-use-leakedin-org[/URL]

[URL]https://lastpass.com/linkedin/[/URL]
"If you do want to check on the status of your linkedin password, I'd be more inclined to use the checker at lastpass. They've got a reputation in the security field to protect and also their page is using SSL, so less risk of your password being leaked.."