LinkedIn Breached, Violated, Squashed - 60% Passwords Stolen and Cracked

Attention linkedIn users , your privacy has been breached. Millions of internet users can now see your password posted online. We request you not to be under false pretences that you are safe from this epidemic. LinkedIn has already confirmed this news and has stated that passwords that are reset will now be stored in a salted format, which technically means that passwords are in an encrypted format AND adjoined with a random bunch of characters to make the password-cracking process a pain-in-the-neck for the hacker . An example of a salted password can seen in the image below.

LinkedIn users must be in tantrums, screaming at the top of their lungs asking, "Why God? Why?", and some pessimist peers of ours repeating the same two words over and over while cradling themselves in their arms, "Why me? Why me?", Well, Imperva has an answer for you which makes a lot of sense, even if it doesn't fix things (sorta).

According to Imperva:

  • The passwords weren’t properly protected.  The hashes, in geek speak, were unsalted sha1 hashes.  Not salting is a bad practice that we detailed in last month’s report on the Militarysingles breach.   Salting, in layman’s terms, complicates the process of a hacker cracking a password.  Not only do you encrypt the password, but append it with a random string of characters so even if those passwords are revealed, they look like gobbledygook.
  • 13 passwords contained “linkedin”
  • 509 passwords contained “linked”
  • 1134 passwords contained “link”

  • LinkedIn was probably breached but the password database doesn’t indicate this specifically.  Many of the passwords contained a high volume of the word, or a variation of the word, “linkedin”.  This indicates that the pool of passwords comes from LinkedIn, though the hacker hasn’t specifically made such a connection.  The password set shows:

Imperva suggest that the list of the security breach could be much larger than the already whooping number of 6.5 million. They have provided two reasons for their theory:

1. The list doesn't have any easy passwords such as 123456 (which is the most used password in the history of passwords) included.

2. All passwords are listed only once, leaving us to a guessing game wondering how many times was a certain password used.

After this massacre, SophosLabs geniuses did a little research of their own, testing which passwords were commonly used among the 6.5 million users and should never be used by anyone. Their study suggested that only 2 passwords of the 6.5 million passwords were unique and not used by anyone else. "mypc123" and "ihavenopass" are the lucky winners of the day. Unfortunately, these, too, were cracked and exploited.

SophosLabs suspects:

"After removing duplicate hashes, SophosLabs has determined there are 5.8 million unique password hashes in the dump, of which 3.5 million have already been brute forced. That means over 60% of the stolen hashes are now publicly known."

LinkedIn is in the loops of sorts trying to investigate how far the hackers went in their joyride. It is highly possible that email addresses and personal information was also stolen in the process.

God bless LinkedIn for not salting the passwords. Us bloggers do need to blog about something, right? If you need to feel secure and create a strong, unbeatable, indestructible password.

-      ¤®äå¤


Popular Posts