mersenneforum.org - LinkedIn password database was stolen and posted publically

mersenneforum.org (https://www.mersenneforum.org/index.php)

- Lounge (https://www.mersenneforum.org/forumdisplay.php?f=7)

- - LinkedIn password database was stolen and posted publically (https://www.mersenneforum.org/showthread.php?t=16881)

I'm still really curious where xilman (et al.) found the file before a tool went up.

PS I did google it. It's a natural instinct.

PPS One of my favorite shirts was "Curiosity killed the cat, but for a while I was a suspect." Especially if the kid wearing it was particularly inclined to do stupid/dangerous stuff.

[QUOTE=Dubslow;301530]I'm still really curious where xilman (et al.) found the file before a tool went up.[/QUOTE]
:google:

Note that the phishers are already active: [url]http://www.bbc.co.uk/news/technology-18351986[/url]

I tried Googling it too and was unable to find the source material, so it's not like we didn't try, lol

[QUOTE=xilman;301468]A few further details follow.

First, only 6.4 million password hashes have been released, out of a total of more than 150M. I have a copy of this file.

Second, only the hashes have been released (so far) and not the accounts to which they correspond.

Third, only around 250K plaintext passwords have been released in parallel with their SHA1 hashes. So far, I've only found a single file which contains about 160K of them; the others are reported to be out there but I've not yet found them.

Fourth, there are very good grounds to suspect that only those accounts accessed through a iOS app have been compromised.

My take:

First, if your password hashes to one of those in the list you should undoubtedly change your password. On Linux this can be checked with sha1sum (*).

Second, if you've used an iOS app to access LinkedIn you should probably change your password.

Third, if a list of usernames corresponding to the hashes appears and your name is in that list, you should undoubtedly change your password whether or not your password appears in the list of those recovered.

Paul

(*) I verified that the hash of my LinkedIn password is not in the list of hashes by first typing my password into a file and editing that file to ensure that there was no extraneous whitespace, including any terminal newline. Then I ran "sha1sum passwd_file" to find the hash. A quick grep for that hash in the the compromised hashes file turned up nothing. I verified the procedure by using a known password/hash pair taken from the file of 160K compromised examples.[/QUOTE]

Do not assume that the hackers have released all the hashes they stole. And *do* assume they have the usernames corresponding to the hashes.

Also assume criminals will try every plaintext password that's been released or they can crack against every ID they know of at banks, paypal etc.

I assume you are all sensible enough to use different passwords for different sites.

Chris

Is anyone else annoyed at not hearing any of this from LinkedIn itself? My weekly LinkedIn Network Updates e-mail for June 5 is blissfully free of any mentions of hackery. Perhaps LNKD is playing the old-as-the-ostrich "If we pretend it never happened, we can't be held liable" game here.

Wankers.

[QUOTE=ewmayer;301573]Is anyone else annoyed at not hearing any of this from LinkedIn itself? My weekly LinkedIn Network Updates e-mail for June 5 is blissfully free of any mentions of hackery. Perhaps LNKD is playing the old-as-the-ostrich "If we pretend it never happened, we can't be held liable" game here.

Wankers.[/QUOTE]
I closed my account and told them exactly why in the "exit interview" that they do.

[QUOTE=ewmayer;301573]Is anyone else annoyed at not hearing any of this from LinkedIn itself? My weekly LinkedIn Network Updates e-mail for June 5 is blissfully free of any mentions of hackery. Perhaps LNKD is playing the old-as-the-ostrich "If we pretend it never happened, we can't be held liable" game here.[/QUOTE]Either that or they really do have their head in the sand and are not aware that a hack took place.

Either way, as you put it so succinctly, ...[QUOTE=ewmayer;301573]Wankers.[/QUOTE]

[QUOTE=retina;301606]Either that or they really do have their head in the sand and are not aware that a hack took place.[/QUOTE]They are certainly aware. They've made public statements about the incident. What they have not yet done is inform their customers individually.

Ernst rightly compares them with a wunch of bankers.

"Eine Minuten bitte. Ich habe einen kleinen Problemo avec diese Religione"

I don't know if I should be happy or pissed. I've been honored!

I [B]did[/B] receive a message from LinkedIn bunch of [strike]hooey[/strike] bankers - just now.

And it says in part:
[QUOTE][COLOR=#333333][FONT=Helvetica]We recently became aware that some LinkedIn passwords were compromised and posted on a hacker website. We immediately launched an investigation and we have reason to believe that your password was included in the post. [/FONT][/COLOR]

[COLOR=#333333][FONT=Helvetica]To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member’s account as a result of this event. While a small subset of the passwords was decoded and published, we do not believe yours was among them. [/FONT][/COLOR]

[COLOR=#333333][FONT=Helvetica]The security of your account is very important to us at LinkedIn. As a precaution, we disabled your password, and advise you to take the following steps to reset it. If you reset your password in the last two days, there is no need for further action. [/FONT][/COLOR]
[/QUOTE]

[QUOTE=Batalov;301754]I don't know if I should be happy or pissed. I've been honored!

I [B]did[/B] receive a message from LinkedIn bunch of [strike]hooey[/strike] bankers - just now. [/QUOTE]

I received a copy of the same message ... at 10:30pm PDT last night, nearly 36 hours after I'd already changed my password.

I repeat: Wankers.