Multiple sources in the security field have reported today that LinkedIn was hacked and the list of password hashes posted on a forum. I can also add myself to @ErrataRob findings confirming that my password was on that list.
At this time files posted on the forum have been taken down and LinkedIn has now confirmed that “some” of the user passwords are real.
Here is a small excerpt from the dump:
These passwords are encoded using a cryptographic hash function called SHA-1. A hash function is a one-way mathematical function that takes an arbitrary block of data and returns a fixed-size bit string.
In order to retrieve the password from this SHA-1 string, hackers use an attack known as a Rainbow Tables attack, which consists of calculating the hashes for the passwords; so once you get the hash to do a reverse lookup of the hash you have previously calculated and get the password. These tables of passwords and their hashes are widely available on the Internet including http://www.onlinehashcrack.com/
If your password is simple, its pretty likely that your hash is already stored on a rainbow table.
So I calculated my SHA-1 hash by using the following command on my laptop.
echo -n ‘mypassword’ | openssl sha1
This command calculates the one-way SHA1 hash for my password.
I then stripped the first 6 characters from the hash and looked it up in the combo_not.txt file that contained the compromised list of passwords.
YCombinator has a post that explains what the meaning of the initial “0”s mean within the hashes and the reason why I deleted the first 6 characters.
So the LinkedIn hack is real and you need to change your password NOW. If you happen to use that password for other websites, change those too and do not use that password again.
How could have LinkedIn prevents this:
Not only were the access controls that LinkedIn had in place prove to be insufficient, but they apparently had no detective controls to alert them that the breach occurred judging by their public responses and the silly statements that no evidence of breach had been found.
Furthermore LinkedIn could have made the password information useless if a technique called ‘salting‘ had been used on the stored hashes. This is common of web applications as many store users passwords as a hash in the database.
It would help LinkedIn’s reputation to be as forthcoming as they can with what they know as they know it.
UPDATE: Link to mirror forum here.