LinkedIn Compromise of Passwords is Real

Multiple sources in the security field have reported today that LinkedIn was hacked and the list of password hashes posted on a forum.  I can also add myself to @ErrataRob findings confirming that my password was on that list.

At this time files posted on the forum have been taken down and LinkedIn has now confirmed that “some” of the user passwords are real.

Here is a small excerpt from the dump:

000000a9e52942d6121a0f715579d6f0db7f010b
000000a9f9cbef14ad6ff3dc215a4bbd5ecc9b14
000000a98e4982e25513643a071cb69b4c675938
000000a900fe3ba92a09e66f865763f0f25f81b9
000000a99de50e4f92d9d08deeb002aa0a21aa7a
000000a97cab1b45b83a18b044a6ca2811deb538
000000a9c381d625e055755dc4dc8841c7786233
000000a9f0aa2ca70847911bcc972f52d222430b

These passwords are encoded using a cryptographic hash function called SHA-1. A hash function is a one-way mathematical function that takes an arbitrary block of data and returns a fixed-size bit string.

In order to retrieve the password from this SHA-1 string, hackers use an attack known as a Rainbow Tables attack, which consists of calculating the hashes for the passwords; so once you get the hash to do a reverse lookup of the hash you have previously calculated and get the password. These tables of passwords and their hashes are widely available on the Internet including http://www.onlinehashcrack.com/

If your password is simple, its pretty likely that your hash is already stored on a rainbow table.

So I calculated my SHA-1 hash by using the following command on my laptop.

echo -n ‘mypassword’ | openssl sha1

This command  calculates the one-way SHA1 hash for my password.

I then stripped the first 6 characters from the hash and looked it up in the combo_not.txt file that contained the compromised list of passwords.

YCombinator has a post that explains what the meaning of the initial “0”s mean within the hashes and the reason why I deleted the first 6 characters.

So the LinkedIn hack is real and you need to change your password NOW. If you happen to use that password for other websites, change those too and do not use that password again.

How could have LinkedIn prevents this:

Not only were the access controls that LinkedIn had in place prove to be insufficient, but they apparently had no detective controls to alert them that the breach occurred judging by their public responses and the silly statements that no evidence of breach had been found.

Furthermore LinkedIn could have made the password information useless if a technique called ‘salting‘ had been used on the stored hashes. This is common of web applications as many store users passwords as a hash in the database.

It would help LinkedIn’s reputation to be as forthcoming as they can with what they know as they know it.

UPDATE: Link to mirror forum here.