LinkedIn password database was stolen and posted publically
 

[SIZE=3][FONT=Calibri]Please be aware that it is being reported that the LinkedIn password database was stolen and posted publically early this morning. [/FONT][/SIZE]

[B][SIZE=3][FONT=Calibri]If you use LinkedIn, your password needs to be considered compromised, [U]as well as any other site you use this password for[/U]. It’s critical for you that these passwords be changed as soon as possible.[/FONT][/SIZE][/B]

[SIZE=3][FONT=Calibri]The standard progression of this type of attack is:[/FONT][/SIZE]
[FONT=Calibri][FONT=Calibri][SIZE=3]1.[/SIZE][/FONT] [/FONT][SIZE=3][FONT=Calibri]Hackers post password hashes publically. [I](Done)[/I][/FONT][/SIZE]
[FONT=Calibri][FONT=Calibri][SIZE=3]2.[/SIZE][/FONT] [/FONT][SIZE=3][FONT=Calibri]Criminal groups work together to rapidly crack and recover passwords. Depending on how complex your password was will determine how much time you have to change it. [I](In progress now)[/I][/FONT][/SIZE]
[FONT=Calibri][FONT=Calibri][SIZE=3]3.[/SIZE][/FONT] [/FONT][SIZE=3][FONT=Calibri]Cracked accounts are then used to automatically attempt logins to more critical sites (PayPal, Amazon, banks, emails services) for further financial theft, identity theft, and/or privacy compromise. [/FONT][/SIZE]
[FONT=Calibri][SIZE=3]___________________________________________[/SIZE][/FONT]

[FONT=Calibri][SIZE=3](Came from our IT. I haven't verified this. See [URL="http://www.pcworld.com/article/257045/65m_linkedin_passwords_posted_online_after_apparent_hack.html"]PC World[/URL] and other sources.)[/SIZE][/FONT]

[QUOTE=Batalov;301457][SIZE=3][FONT=Calibri]Please be aware that it is being reported that the LinkedIn password database was stolen and posted publically early this morning. [/FONT][/SIZE]

[B][SIZE=3][FONT=Calibri]If you use LinkedIn, your password needs to be considered compromised, [U]as well as any other site you use this password for[/U]. It’s critical for you that these passwords be changed as soon as possible.[/FONT][/SIZE][/B]

[SIZE=3][FONT=Calibri]The standard progression of this type of attack is:[/FONT][/SIZE]
[FONT=Calibri][FONT=Calibri][SIZE=3]1.[/SIZE][/FONT] [/FONT][SIZE=3][FONT=Calibri]Hackers post password hashes publically. [I](Done)[/I][/FONT][/SIZE]
[FONT=Calibri][FONT=Calibri][SIZE=3]2.[/SIZE][/FONT] [/FONT][SIZE=3][FONT=Calibri]Criminal groups work together to rapidly crack and recover passwords. Depending on how complex your password was will determine how much time you have to change it. [I](In progress now)[/I][/FONT][/SIZE]
[FONT=Calibri][FONT=Calibri][SIZE=3]3.[/SIZE][/FONT] [/FONT][SIZE=3][FONT=Calibri]Cracked accounts are then used to automatically attempt logins to more critical sites (PayPal, Amazon, banks, emails services) for further financial theft, identity theft, and/or privacy compromise. [/FONT][/SIZE]
[FONT=Calibri][SIZE=3]___________________________________________[/SIZE][/FONT]

[FONT=Calibri][SIZE=3](Came from our IT. I haven't verified this. See [URL="http://www.pcworld.com/article/257045/65m_linkedin_passwords_posted_online_after_apparent_hack.html"]PC World[/URL] and other sources.)[/SIZE][/FONT][/QUOTE]A few further details follow.

First, only 6.4 million password hashes have been released, out of a total of more than 150M. I have a copy of this file.

Second, only the hashes have been released (so far) and not the accounts to which they correspond.

Third, only around 250K plaintext passwords have been released in parallel with their SHA1 hashes. So far, I've only found a single file which contains about 160K of them; the others are reported to be out there but I've not yet found them.

Fourth, there are very good grounds to suspect that only those accounts accessed through a iOS app have been compromised.

My take:

First, if your password hashes to one of those in the list you should undoubtedly change your password. On Linux this can be checked with sha1sum (*).

Second, if you've used an iOS app to access LinkedIn you should probably change your password.

Third, if a list of usernames corresponding to the hashes appears and your name is in that list, you should undoubtedly change your password whether or not your password appears in the list of those recovered.


Paul

(*) I verified that the hash of my LinkedIn password is not in the list of hashes by first typing my password into a file and editing that file to ensure that there was no extraneous whitespace, including any terminal newline. Then I ran "sha1sum passwd_file" to find the hash. A quick grep for that hash in the the compromised hashes file turned up nothing. I verified the procedure by using a known password/hash pair taken from the file of 160K compromised examples.

Thanks for the heads-up. I've changed my password just to be on the safe side.

Where did you get the list of hashes and/or the compromised ones?

[QUOTE=ixfd64;301470]Thanks for the heads-up. I've changed my password just to be on the safe side.[/QUOTE]

can't even remember mine. apparently even though I got messages it can't even find my emails in it's database.

So, how do they get passwords from the hashes; dictionary attack?

[QUOTE=TObject;301479]So, how do they get passwords from the hashes; dictionary attack?[/QUOTE]Fundamentally, yes.

There are a number of time-memory trade-offs which may be used for cracking multiple hashes. For instance, the minimum memory trade-off runs the entire dictionary against each hash. The minimum-time version precomputes the hashes of each word in the dictionary and stores the result. Thereafter cracking a hashed password is a simple table look-up. Finding out what the term "rainbow table" means will teach you something about a particularly important intermediate case.

Paul

How can I get access to the file so I can check if my password is in there? I'm changing it anyway but I wish to be certain

I found a site to check

[URL]http://leakedin.org/[/URL]

Use at your own risk

[URL]http://www.siliconrepublic.com/new-media/item/27637-leakedin-org-claims-to-let/[/URL]

Be careful not to blame Rainbow Tables. They are just a tool, as GNFS is just a tool. Attacks based on the ideas of Rainbow Tables have been known for at least 30 years.

Defending against Rainbow Tables is trivially accomplished by use of a well-salted hash. There's really no excuse LinkedIn didn't salt the password hashes.

BTW, an enterprising group has placed a tool online to let you check if your password has been exposed. Check out [URL="http://leakedin.org"]leakedin.org[/URL].

DON"T SUPPLY YOUR OWN PASSWORD OR YOUR OWN PASSWORD HASH. The (unsalted) hashed password will be sent unencrypted via the Internet, and the Web Site at the other end, if they are nefarious, has the option of keeping your password hash.

However, to see the scope of the released passwords, you can try entering dictionary words. Or try the names of your favorite contributors from these forums. 6.5 million is a lot of passwords, and LinkedIn users evidently pick some pretty awful passwords.

[URL]http://security.stackexchange.com/questions/15765/is-it-safe-to-use-leakedin-org[/URL]


[URL]https://lastpass.com/linkedin/[/URL]
"If you do want to check on the status of your linkedin password, I'd be more inclined to use the checker at lastpass. They've got a reputation in the security field to protect and also their page is using SSL, so less risk of your password being leaked.."

I'm still really curious where xilman (et al.) found the file before a tool went up.

PS I did google it. It's a natural instinct.

PPS One of my favorite shirts was "Curiosity killed the cat, but for a while I was a suspect." Especially if the kid wearing it was particularly inclined to do stupid/dangerous stuff.

[QUOTE=Dubslow;301530]I'm still really curious where xilman (et al.) found the file before a tool went up.[/QUOTE]
:google:

Note that the phishers are already active: [url]http://www.bbc.co.uk/news/technology-18351986[/url]

I tried Googling it too and was unable to find the source material, so it's not like we didn't try, lol

[QUOTE=xilman;301468]A few further details follow.

First, only 6.4 million password hashes have been released, out of a total of more than 150M. I have a copy of this file.

Second, only the hashes have been released (so far) and not the accounts to which they correspond.

Third, only around 250K plaintext passwords have been released in parallel with their SHA1 hashes. So far, I've only found a single file which contains about 160K of them; the others are reported to be out there but I've not yet found them.

Fourth, there are very good grounds to suspect that only those accounts accessed through a iOS app have been compromised.

My take:

First, if your password hashes to one of those in the list you should undoubtedly change your password. On Linux this can be checked with sha1sum (*).

Second, if you've used an iOS app to access LinkedIn you should probably change your password.

Third, if a list of usernames corresponding to the hashes appears and your name is in that list, you should undoubtedly change your password whether or not your password appears in the list of those recovered.


Paul

(*) I verified that the hash of my LinkedIn password is not in the list of hashes by first typing my password into a file and editing that file to ensure that there was no extraneous whitespace, including any terminal newline. Then I ran "sha1sum passwd_file" to find the hash. A quick grep for that hash in the the compromised hashes file turned up nothing. I verified the procedure by using a known password/hash pair taken from the file of 160K compromised examples.[/QUOTE]

Do not assume that the hackers have released all the hashes they stole. And *do* assume they have the usernames corresponding to the hashes.

Also assume criminals will try every plaintext password that's been released or they can crack against every ID they know of at banks, paypal etc.

I assume you are all sensible enough to use different passwords for different sites.

Chris

Is anyone else annoyed at not hearing any of this from LinkedIn itself? My weekly LinkedIn Network Updates e-mail for June 5 is blissfully free of any mentions of hackery. Perhaps LNKD is playing the old-as-the-ostrich "If we pretend it never happened, we can't be held liable" game here.

Wankers.

[QUOTE=ewmayer;301573]Is anyone else annoyed at not hearing any of this from LinkedIn itself? My weekly LinkedIn Network Updates e-mail for June 5 is blissfully free of any mentions of hackery. Perhaps LNKD is playing the old-as-the-ostrich "If we pretend it never happened, we can't be held liable" game here.

Wankers.[/QUOTE]
I closed my account and told them exactly why in the "exit interview" that they do.

[QUOTE=ewmayer;301573]Is anyone else annoyed at not hearing any of this from LinkedIn itself? My weekly LinkedIn Network Updates e-mail for June 5 is blissfully free of any mentions of hackery. Perhaps LNKD is playing the old-as-the-ostrich "If we pretend it never happened, we can't be held liable" game here.[/QUOTE]Either that or they really do have their head in the sand and are not aware that a hack took place.

Either way, as you put it so succinctly, ...[QUOTE=ewmayer;301573]Wankers.[/QUOTE]

[QUOTE=retina;301606]Either that or they really do have their head in the sand and are not aware that a hack took place.[/QUOTE]They are certainly aware. They've made public statements about the incident. What they have not yet done is inform their customers individually.

Ernst rightly compares them with a wunch of bankers.

"Eine Minuten bitte. Ich habe einen kleinen Problemo avec diese Religione"
 

I don't know if I should be happy or pissed. I've been honored!

I [B]did[/B] receive a message from LinkedIn bunch of [strike]hooey[/strike] bankers - just now.

And it says in part:
[QUOTE][COLOR=#333333][FONT=Helvetica]We recently became aware that some LinkedIn passwords were compromised and posted on a hacker website. We immediately launched an investigation and we have reason to believe that your password was included in the post. [/FONT][/COLOR]

[COLOR=#333333][FONT=Helvetica]To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member’s account as a result of this event. While a small subset of the passwords was decoded and published, we do not believe yours was among them. [/FONT][/COLOR]

[COLOR=#333333][FONT=Helvetica]The security of your account is very important to us at LinkedIn. As a precaution, we disabled your password, and advise you to take the following steps to reset it. If you reset your password in the last two days, there is no need for further action. [/FONT][/COLOR]
[/QUOTE]

[QUOTE=Batalov;301754]I don't know if I should be happy or pissed. I've been honored!

I [B]did[/B] receive a message from LinkedIn bunch of [strike]hooey[/strike] bankers - just now. [/QUOTE]

I received a copy of the same message ... at 10:30pm PDT last night, nearly 36 hours after I'd already changed my password.

I repeat: Wankers.

[QUOTE=ewmayer;301870]I received a copy of the same message ... at 10:30pm PDT last night, nearly 36 hours after I'd already changed my password.

I repeat: Wankers.[/QUOTE]
I don't have a LinkedIn account, but I have an experience to relate from a few months ago about a Dutch internet provider, hetnet.nl (part of KPN), with which I do have an account.

This internet provider had a similar huge, embarrassing loss of a file of access passwords. Exactly what the thieves got hold of was not, and still isn't, completely clear. But just like with LinkedIn, the media knew of it days before any communication by KPN to its hetnet.nl customers took place.

On hearing the news I immediately changed my hetnet.nl password.

About a week later I received a letter in the post from KPN, the first direct communication from the provider about the security leak. The letter stated that due to the breach of security they had changed my password for me. The letter went on to give me the new password which they had apparently changed it to: [I]it was the same new password that I had selected when changing it myself a week earlier![/I]

I can only conclude that they don't even encrypt the passwords at all when storing them, let alone fail to salt the encrypted hashes like LinkedIn. That aside from the incompetence of failing to distinguish between customers who had changed their passwords themselves and those who had been allocated new passwords!

[QUOTE=Brian-E;301873]The letter went on to give me the new password which they had apparently changed it to: [I]it was the same new password that I had selected when changing it myself a week earlier![/I][/QUOTE]
Coooooollllll! Cool cool cool cool cool!
That is brilliant. I can't stop laughing. My wife said I am gone nuts.
Did you still keep the account with them after this?

[QUOTE=LaurV;301920]Coooooollllll! Cool cool cool cool cool!
That is brilliant. I can't stop laughing. My wife said I am gone nuts.
Did you still keep the account with them after this?[/QUOTE]
Yes. I should really dump them, I know. I actually use a different internet provider these days and my account with hetnet.nl has been dormant for years. I changed because of other unimpressive issues with hetnet.nl. But when I originally tried to cancel the account with them I was informed that my telephone land-line was contractually tied to the hetnet.nl account and I couldn't stop the hetnet.nl account without losing the landline. I don't think that is correct, but I've no stomach for a legal fight considering that the hetnet.nl account costs only Euro 2.50 per month.
I know, I shouldn't be so meek about it. But that's the way I am.:unsure:

And the story goes on! :smile:
Just got this from Last.fm:

[QUOTE]We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we're asking all our users to change their passwords immediately.
Please log in to Last.fm and change your password on your settings page. [/QUOTE]

It seems the leak happened on June 7, but I just got the message, an hour ago (on June 11)!

Events: Jun 14, 2012 - LinkedIn Corporation Annual Shareholder Meeting - 12:00PM EDT

Police arrest Russian tied to 2012 LinkedIn hack
 

[QUOTE=Batalov;301457]Please be aware that it is being reported that the LinkedIn password database was stolen and posted publically early this morning.

If you use LinkedIn, your password needs to be considered compromised, as well as any other site you use this password for. It’s critical for you that these passwords be changed as soon as possible.

The standard progression of this type of attack is:
1. Hackers post password hashes publically. (Done)
2. Criminal groups work together to rapidly crack and recover passwords. Depending on how complex your password was will determine how much time you have to change it. (In progress now)
3. Cracked accounts are then used to automatically attempt logins to more critical sites (PayPal, Amazon, banks, emails services) for further financial theft, identity theft, and/or privacy compromise.
___________________________________________

(Came from our IT. I haven't verified this. See [URL="http://www.pcworld.com/article/257045/65m_linkedin_passwords_posted_online_after_apparent_hack.html"]PC World[/URL] and other sources.)[/QUOTE]

They were not sitting on their thumbs for these four years, after all.
[URL="http://www.reuters.com/article/us-czech-usa-russia-cybercrime-idUSKCN12J0MV"]Czech police arrest Russian tied to 2012 LinkedIn hack[/URL]

Good!