LinkedIn breached: 6.5 million passwords compromised


Attention LinkedIn users, your privacy has been breached. Millions of internet users can now see your password posted online. We request you not to be under false pretenses that you are safe from this epidemic. LinkedIn has already confirmed this news and has stated that passwords that are reset will now be stored in a salted format, which technically means that passwords are in an encrypted format AND adjoined with a random bunch of characters to make the password-cracking process a pain-in-the-neck for the hacker.

According to Imperva:

The passwords weren't properly protected.  The hashes, in geek speak, were unsalted sha1 hashes.  Not salting is a bad practice that we detailed in last month’s report on the Military singles breach.   Salting, in layman’s terms, complicates the process of a hacker cracking a password.  Not only do you encrypt the password, but append it with a random string of characters so even if those passwords are revealed, they look like gobbledygook.

LinkedIn was probably breached but the password database doesn’t indicate this specifically.  Many of the passwords contained a high volume of the word, or a variation of the word, “linkedin”.  This indicates that the pool of passwords comes from LinkedIn, though the hacker hasn’t specifically made such a connection.  The password set shows:

  • 13 passwords contained “linkedin”
  • 509 passwords contained “linked”
  • 1134 passwords contained “link”

Imperva suggest that the list of the security breach could be much larger than the already whooping number of 6.5 million. They have provided two reasons for their theory:

1. The list doesn't have any easy passwords such as 123456 (which is the most used password in the history of passwords) included.

2. All passwords are listed only once, leaving us to a guessing game wondering how many times was a certain password used.

After this massacre, SophosLabs geniuses did a little research of their own, testing which passwords were commonly used among the 6.5 million users and should never be used by anyone. Their study suggested that only 2 passwords of the 6.5 million passwords were unique and not used by anyone else. "mypc123" and "ihavenopass" are the lucky winners of the day. Unfortunately, these, too, were cracked and exploited.


click here to know if your password is compromised

0 comments:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More