AuthorTopic: Another Day, Another Hack: 117 Million LinkedIn Emails And Passwords  (Read 512 times)

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3754
    • View Profile
The surprising thing is not that LinkedIn didn't use a better hashing algorithm than "SHA1 with no salt", it is that they are still in business at all after that. 

Note that hackers claim to have cracked 90% of the 117,000,000 hashes in 3 days - a rate of 400 per second.  If the hash had been salted with the current time at account creation, they would probably still be on their first thousand.
Another Day, Another Hack: 117 Million LinkedIn Emails And Passwords
Lorenzo Franceschi-Bicchierai
May 18, 2016

A hacker is trying to sell the account information, including emails and passwords, of 117 million LinkedIn users.

The hacker, who goes by the name “Peace,” told Motherboard that the data was stolen during the LinkedIn breach of 2012. At the time, only around 6.5 million encrypted passwords were posted online, and LinkedIn never clarified how many users were affected by that breach.

Turns out it was much worse than anybody thought.

Peace is selling the data on the dark web illegal marketplace The Real Deal for 5 bitcoin (around $2,200). The paid hacked data search engine LeakedSource also claims to have obtained the data. Both Peace and the one of the people behind LeakedSource said that there are 167 million accounts in the hacked database. Of those, around 117 million have both emails and encrypted passwords.

“It is only coming to the surface now. People may not have taken it very seriously back then as it was not spread,” one of the people behind LeakedSource told me. “To my knowledge the database was kept within a small group of Russians.”

LeakedSource provided Motherboard with a sample of almost one million credentials, which included email addresses, hashed passwords, and the corresponding hacked passwords. The passwords were originally encrypted or hashed with the SHA1 algorithm, with no “salt,” which is a series of random digits attached to the end of hashes to make them harder to be cracked.

One of the operators of LeakedSource told Motherboard in an online chat that so far they have cracked “90% of the passwords in 72 hours.”

Troy Hunt, a security researcher who maintains the breach notification site “Have I Been Pwned?,” reached out to some of the victims of the data breach. Two of them confirmed to Hunt that they indeed were users of LinkedIn and that the password he shared with them was the one they were using at the time of the breach. Motherboard was able to confirm a third victim.

One of the victims told Motherboard that the password in the sample was their current one, though he changed it as soon as Hunt reached out no notify him of the breach.

“Having a password out there feels like someone being able to let themselves in to your private space whenever they like, without you knowing,” the victim, who asked to remain anonymous, said in an email.

When reached for comment on Tuesday, LinkedIn spokesperson Hani Durzy told Motherboard that the company’s security team was looking into the incident, but that at the time they couldn’t confirm whether the data was legitimate. Durzy, however, also admitted that the 6.5 million hashes that were posted online in 2012 were not necessarily all of the passwords stolen.

“We don’t know how much was taken,” Durzy told me in a phone call.

The lesson: For LinkedIn, the lesson is the same as four years ago: don’t store passwords in an insecure way. As for LinkedIn users, if you didn’t already change your password four years ago, change it again, especially if you use it on other services (and please stop reusing passwords).

“The prevalence of password reuse means we’ll see that unlock other accounts too,” Hunt told me.

Another lesson is that even old hacked data can sometimes be valuable, given that some of these passwords might still be valid.

UPDATE, May 18, 12:32 p.m. ET: LinkedIn confirmed on Wednesday that the new data is legitimate.

“Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,“ the company's chief information security officer Cory Scott wrote in a blog post. “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.“

Scott also encouraged users to use two-factor authentication and use strong passwords.
The State is a body of armed men


Related Topics

  Subject / Started by Replies Last post
5 Replies
Last post August 11, 2015, 09:22:49 PM
by Palloy
0 Replies
Last post June 06, 2016, 03:48:36 PM
by Palloy
0 Replies
Last post September 02, 2016, 02:07:31 PM
by Palloy