Amiga.org

The "Not Quite Amiga but still computer related category" => Alternative Operating Systems => Topic started by: Piru on June 06, 2012, 01:10:42 PM

Title: linkedin.com password hashes leaked - change your password
Post by: Piru on June 06, 2012, 01:10:42 PM
The unsalted SHA-1 password hashes of linkedin.com service have been posted to a hacker forum.

While there is no way to verify if this is for real, it so far does look legit.

As a precaution all linkedin.com users should change their passwords - NOW.
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Matt_H on June 06, 2012, 01:42:40 PM
Thanks for the alert. Done.
Title: Re: linkedin.com password hashes leaked - change your password
Post by: LoadWB on June 06, 2012, 02:22:45 PM
Salted or not, I'm just happy to find out that they DO hash their passwords instead of storing them in plain-text.  I had a complex password before, and now it's even more complex.  Makes using the mobile site difficult but, oh well.
Title: Re: linkedin.com password hashes leaked - change your password
Post by: hbarcellos on June 06, 2012, 02:33:59 PM
Thanks Piru. Changed mine.
BTW, maybe it should be a nice topic to ask everyone to share their own LinkedIn Profiles.

http://www.linkedin.com/pub/heitor-barcellos/0/2b0/b52
Title: Re: linkedin.com password hashes leaked - change your password
Post by: sim085 on June 06, 2012, 03:11:00 PM
Do they have the matching username to every password?
Title: Re: linkedin.com password hashes leaked - change your password
Post by: persia on June 06, 2012, 03:23:27 PM
I quickly trashed my LinkedIn account before anyone else could!  Not being in the job market I never use my LinkedIn account.....
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Piru on June 06, 2012, 04:37:11 PM
Quote from: sim085;695464
Do they have the matching username to every password?

The hackers who breached the system - most definitely yes. They likely also have the email address associated with the account.

They haven't released the usernames in public, at least not yet.

The 7.x million hash list that has been circulating appears to contain the remaining, yet-to-be cracked hashes.
Title: Re: linkedin.com password hashes leaked - change your password
Post by: amiman99 on June 06, 2012, 05:13:54 PM
How can I check if I'm on the hacked list, any direct link to the list?
I used to check lulzsec when they were hacking like crazy.
I dont even remember if I have account with LinkedIn.
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Piru on June 06, 2012, 05:20:43 PM
Quote from: amiman99;695479
How can I check if I'm on the hacked list, any direct link to the list?
There's no way really, as the hash list passed around is incomplete. Since it is incomplete, any such check would be in vain (just because you're not on the incomplete list doesn't make you safe, since your password might already be cracked regardless).

A word of warning BTW: Do not enter you password to any "online checker". Such scams will inevitably pop up soon after incidents like this. Many will happily give out their passwords to such services.. .. uh oh.
Title: Re: linkedin.com password hashes leaked - change your password
Post by: runequester on June 06, 2012, 06:04:07 PM
Quote from: Piru;695480
There's no way really, as the hash list passed around is incomplete. Since it is incomplete, any such check would be in vain (just because you're not on the incomplete list doesn't make you safe, since your password might already be cracked regardless).

A word of warning BTW: Do not enter you password to any "online checker". Such scams will inevitably pop up soon after incidents like this. Many will happily give out their passwords to such services.. .. uh oh.


Man, they don't waste any time do they?
Title: Re: linkedin.com password hashes leaked - change your password
Post by: LoadWB on June 06, 2012, 06:53:24 PM
Another thing to note is that if you used the same password for other things, change those right away and destroy that password.  A while back a comparison was made between several leaked password lists and it was found that something like 83% of credentials were shared across multiple services... including the email account to which the other accounts were linked.
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Ilwrath on June 06, 2012, 07:53:14 PM
Quote from: LoadWB;695486
Another thing to note is that if you used the same password for other things, change those right away and destroy that password.  A while back a comparison was made between several leaked password lists and it was found that something like 83% of credentials were shared across multiple services... including the email account to which the other accounts were linked.


Yup.  Sound security advice here.  Don't reuse passwords in this fashion, folks.  

I just noticed I had accidentally set the same username/password combo for linkedin and it's associated email address.  OOoops.  Just changed them both (to different things, like they should have been in the first place).  So while it sucks that the list was leaked, it caused me to find my own security mishap before anyone else did.  Yay!  :D
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Fats on June 06, 2012, 09:40:29 PM
Quote from: Piru;695453
The unsalted SHA-1 password hashes of linkedin.com service have been posted to a hacker forum.

While there is no way to verify if this is for real, it so far does look legit.

As a precaution all linkedin.com users should change their passwords - NOW.


I think I will keep it just as an excuse when I want to something bad (tm) with my LinkedIn account. It wasn't me, somebody must have cracked my password :)

greets,
Staf.
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Zac67 on June 06, 2012, 11:00:33 PM
Considering quitting my LinkedIn account atm - storing unsalted hashes nowadays should be considered a major offense. Just brainless.
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Fester on June 06, 2012, 11:38:33 PM
Thanks for the alert Piru. I wouldn't have known otherwise. Did the needful.
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Speelgoedmannetje on June 06, 2012, 11:49:04 PM
Quote from: LoadWB;695458
Salted or not, I'm just happy to find out that they DO hash their passwords instead of storing them in plain-text.  I had a complex password before, and now it's even more complex.  Makes using the mobile site difficult but, oh well.

I just saw today KeePass, a password manager is available as well on smartphones :)
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Duce on June 06, 2012, 11:55:24 PM
KeePass is great, highly recommended.
Title: Re: linkedin.com password hashes leaked - change your password
Post by: F1Lupo on June 07, 2012, 12:22:36 AM
ah that's why I've been getting spam emails form linkedin this past week!

thanks for the heads up Piru
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Pete_Noir on June 07, 2012, 12:39:06 AM
Thanks for the heads up, didn't hear about this. According to http://mashable.com/2012/06/06/linkedin-passwords-hacked-confirmation/  if your account was one of those compromised, you won't be able to log in and you should get an email from LinkedIn. I didn't get an email, but I've still changed my password anyway :)
Title: Re: linkedin.com password hashes leaked - change your password
Post by: LoadWB on June 07, 2012, 02:08:10 AM
Quote from: Speelgoedmannetje;695533
I just saw today KeePass, a password manager is available as well on smartphones :)


Thanks.  Generally speaking I dismiss recommendations like this because I don't run Phone, Android, or iPhone, so some of my capabilities are stymied by my insistence on sticking with a feature phone.

Lo and behold!

KeePass for J2ME | Free software downloads at SourceForge.net
http://sourceforge.net/projects/keepassj2me/
Title: Re: linkedin.com password hashes leaked - change your password
Post by: persia on June 07, 2012, 02:50:43 AM
Given the wankfest LinkedIn is, how would you know it was hacked?
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Ami_GFX on June 07, 2012, 04:52:17 AM
A whole bunch of passwords changed. If it wasn't necessary, it was time anyway.
Title: Re: linkedin.com password hashes leaked - change your password
Post by: LoadWB on June 07, 2012, 07:34:16 AM
Welp, dammit, my password is definitely in the list.
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Piru on June 07, 2012, 07:30:15 PM
It appears that last.fm passwords might have been leaked as well: http://www.last.fm/passwordsecurity
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Duce on June 07, 2012, 08:12:21 PM
If you are curious of the status of your now hopefully changed PW/account, visit:

http://leakedin.org/

Examine the source if you are wary of such things, and obviously do not enter your new PW.
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Piru on June 07, 2012, 08:28:33 PM
Quote from: Duce;695641
If you are curious of the status of your now hopefully changed PW/account, visit:

http://leakedin.org/

Examine the source if you are wary of such things, and obviously do not enter your new PW.
I recommend you do not. If your password hash wasn't leaked before, it will be after you use this "service".

The site also incorrectly claims your password is not yet cracked. "Your password was leaked, but it has not (yet) been cracked."

There is no way for the site to know this, and this is thus extremely misleading.

Here's the linkedin blog post about the incident: http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Piru on June 07, 2012, 08:58:46 PM
Some info about the recent leaks can be found from https://twitter.com/#!/CrackMeIfYouCan

For instance it seems that the leaks are much older than thought. Interesting stuff.
Title: Re: linkedin.com password hashes leaked - change your password
Post by: Zac67 on June 07, 2012, 09:25:52 PM
If you need to find out whether your password has leaked, you can safely use PHP's sha1() function and then google the hash.

I've already found mine but that didn't really surprise me since it's probably among the first 1000 tested in a dictionary attack anyway - LinkedIn didn't seem to require a more 'serious' password, and right I was as it seems.