Amiga.org
The "Not Quite Amiga but still computer related category" => Alternative Operating Systems => Topic started by: Piru on June 06, 2012, 01:10:42 PM
-
The unsalted SHA-1 password hashes of linkedin.com service have been posted to a hacker forum.
While there is no way to verify if this is for real, it so far does look legit.
As a precaution all linkedin.com users should change their passwords - NOW.
-
Thanks for the alert. Done.
-
Salted or not, I'm just happy to find out that they DO hash their passwords instead of storing them in plain-text. I had a complex password before, and now it's even more complex. Makes using the mobile site difficult but, oh well.
-
Thanks Piru. Changed mine.
BTW, maybe it should be a nice topic to ask everyone to share their own LinkedIn Profiles.
http://www.linkedin.com/pub/heitor-barcellos/0/2b0/b52
-
Do they have the matching username to every password?
-
I quickly trashed my LinkedIn account before anyone else could! Not being in the job market I never use my LinkedIn account.....
-
Do they have the matching username to every password?
The hackers who breached the system - most definitely yes. They likely also have the email address associated with the account.
They haven't released the usernames in public, at least not yet.
The 7.x million hash list that has been circulating appears to contain the remaining, yet-to-be cracked hashes.
-
How can I check if I'm on the hacked list, any direct link to the list?
I used to check lulzsec when they were hacking like crazy.
I dont even remember if I have account with LinkedIn.
-
How can I check if I'm on the hacked list, any direct link to the list?
There's no way really, as the hash list passed around is incomplete. Since it is incomplete, any such check would be in vain (just because you're not on the incomplete list doesn't make you safe, since your password might already be cracked regardless).
A word of warning BTW: Do not enter you password to any "online checker". Such scams will inevitably pop up soon after incidents like this. Many will happily give out their passwords to such services.. .. uh oh.
-
There's no way really, as the hash list passed around is incomplete. Since it is incomplete, any such check would be in vain (just because you're not on the incomplete list doesn't make you safe, since your password might already be cracked regardless).
A word of warning BTW: Do not enter you password to any "online checker". Such scams will inevitably pop up soon after incidents like this. Many will happily give out their passwords to such services.. .. uh oh.
Man, they don't waste any time do they?
-
Another thing to note is that if you used the same password for other things, change those right away and destroy that password. A while back a comparison was made between several leaked password lists and it was found that something like 83% of credentials were shared across multiple services... including the email account to which the other accounts were linked.
-
Another thing to note is that if you used the same password for other things, change those right away and destroy that password. A while back a comparison was made between several leaked password lists and it was found that something like 83% of credentials were shared across multiple services... including the email account to which the other accounts were linked.
Yup. Sound security advice here. Don't reuse passwords in this fashion, folks.
I just noticed I had accidentally set the same username/password combo for linkedin and it's associated email address. OOoops. Just changed them both (to different things, like they should have been in the first place). So while it sucks that the list was leaked, it caused me to find my own security mishap before anyone else did. Yay! :D
-
The unsalted SHA-1 password hashes of linkedin.com service have been posted to a hacker forum.
While there is no way to verify if this is for real, it so far does look legit.
As a precaution all linkedin.com users should change their passwords - NOW.
I think I will keep it just as an excuse when I want to something bad (tm) with my LinkedIn account. It wasn't me, somebody must have cracked my password :)
greets,
Staf.
-
Considering quitting my LinkedIn account atm - storing unsalted hashes nowadays should be considered a major offense. Just brainless.
-
Thanks for the alert Piru. I wouldn't have known otherwise. Did the needful.
-
Salted or not, I'm just happy to find out that they DO hash their passwords instead of storing them in plain-text. I had a complex password before, and now it's even more complex. Makes using the mobile site difficult but, oh well.
I just saw today KeePass, a password manager is available as well on smartphones :)
-
KeePass is great, highly recommended.
-
ah that's why I've been getting spam emails form linkedin this past week!
thanks for the heads up Piru
-
Thanks for the heads up, didn't hear about this. According to http://mashable.com/2012/06/06/linkedin-passwords-hacked-confirmation/ if your account was one of those compromised, you won't be able to log in and you should get an email from LinkedIn. I didn't get an email, but I've still changed my password anyway :)
-
I just saw today KeePass, a password manager is available as well on smartphones :)
Thanks. Generally speaking I dismiss recommendations like this because I don't run Phone, Android, or iPhone, so some of my capabilities are stymied by my insistence on sticking with a feature phone.
Lo and behold!
KeePass for J2ME | Free software downloads at SourceForge.net
http://sourceforge.net/projects/keepassj2me/
-
Given the wankfest LinkedIn is, how would you know it was hacked?
-
A whole bunch of passwords changed. If it wasn't necessary, it was time anyway.
-
Welp, dammit, my password is definitely in the list.
-
It appears that last.fm passwords might have been leaked as well: http://www.last.fm/passwordsecurity
-
If you are curious of the status of your now hopefully changed PW/account, visit:
http://leakedin.org/
Examine the source if you are wary of such things, and obviously do not enter your new PW.
-
If you are curious of the status of your now hopefully changed PW/account, visit:
http://leakedin.org/
Examine the source if you are wary of such things, and obviously do not enter your new PW.
I recommend you do not. If your password hash wasn't leaked before, it will be after you use this "service".
The site also incorrectly claims your password is not yet cracked. "Your password was leaked, but it has not (yet) been cracked."
There is no way for the site to know this, and this is thus extremely misleading.
Here's the linkedin blog post about the incident: http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
-
Some info about the recent leaks can be found from https://twitter.com/#!/CrackMeIfYouCan
For instance it seems that the leaks are much older than thought. Interesting stuff.
-
If you need to find out whether your password has leaked, you can safely use PHP's sha1() function and then google the hash.
I've already found mine but that didn't really surprise me since it's probably among the first 1000 tested in a dictionary attack anyway - LinkedIn didn't seem to require a more 'serious' password, and right I was as it seems.