Six Million LinkedIn Passwords get Hacked


----------------

Password security is at the height of importance for individuals, but even MORE important for the people who you have those passwords with.

So you can understand why it’s a a bit scary that the social networking site for business connections, LinkedIn, was hacked and just this side of 6,458,020 passwords were accessed.

An unnamed individual, and former user of the professional connections website, revealed the passwords online as proof – granted, he published the list without the accompanying usernames. It appears he isn’t malicious, just resourceful enough to figure out their system.

Mashable spells out how this was accomplished.

The passwords are encrypted with the SHA-1 cryptographic hash function, used in SSL and TLS and generally considered to be relatively secure, but not foolproof. Unfortunately, it also seems that passwords are stored as unsalted hashes, which it makes it much easier to decipher them using pre-computed rainbow tables.

Unsalted hashes? Everyone likes a little seasoning on their hash right? Rainbow tables? Really? Are these real terms? Of course they are.

Of course this doesn’t bode well for LinkedIn after there was already some bad press about their iOS app and how it potentially violates user privacy in the way it handles calendar entries.

I am going to go change my LinkedIn Password and delete my calendar now. And yes, I will be wearing my tinfoil hat while I do it.





4 Responses to Six Million LinkedIn Passwords get Hacked

  1. Password strength has always been a lie. GMail, HotMail, Zappos, Card Systems and more have been hacked and leaked passwords. The typical hack isn't by attacking the password but by either bypassing it or attacking the storage of the password.

    Of course IT "professionals" (not the oldest profession, but one with great similarity – somebody gets screwed) put intrusive feel-good password complexity policies in place, partly because they can hide their incompetency behind this masquerade and -claim- they are doing all they can.

    If your IT folk insist on very complex passwords changed every 60 days or less, you should replace them. Not the policies, but the IT folk.

  2. I rarely visited LinkedIn, but went to change my password after this story broke. To my horror, they included in my contacts two employees of a company I, as a lawyer, am suing. I deposed the two people the month prior to my signing in. The only way they could have put my name and theirs together was by accessing my privileged email. I immediately closed my account.

  3. please do not confuse the facts. the list of hashes was uploaded on a forum, with a request of cracking as many as possible. no data about hacking linkedin there. people who cracked some of the passwords observed that many of those include phrases like 'linked' or 'linkedin', so they assumed they must come from linkedin.
    the original, anonymous uploader didn't mention the source of those hashes!