6.5 million LinkedIn password hashes breached which raises the fear that many more passwords are likely breached. Many passwords were related to LinkedIn.
It’s still early days on the leaking of the 6.5 million LinkedIn password hashes. I’ve looked at the text file, and half of them are indeed SHA-1 hashes – the other half have a prefix “00000” so don’t seem to be valid hashes. It has been verified that many of them are for LinkedIn, either through people independently checking that the SHA-1 hash of their password is in the list, or that many of the passwords are related to LinkedIn, for example, “Passwordlinkedin”, “supermanlinkedin”, “LINKEDIN.COM”, and “Wwwlinkedin07”.
The person who originally posted the password hashes was asking for help to crack the password hashes. The hashes in the list are all unique, and there no hashes for easy passwords such as dictionary words or simple variants such as “Password1”. This implies that the list of password hashes that were posted contained only the ones that hadn’t been cracked so far. Previous password dumps have shown that most people seem to use fairly weak passwords. We can therefore assume that 6.5 million is the tip of the iceberg; it may be more than 50 million, or may be the whole LinkedIn user database.
These hashes must have been copied from a database. This same database would also contain the LinkedIn user’s email address and other details. Why wouldn’t the attacker copy those too?
LinkedIn did “confirm that some of the passwords that were compromised correspond to LinkedIn accounts. […] These members will also receive an email from LinkedIn with instructions on how to reset their passwords.”
The blog entry is here:
It looks like they’ve cross-checked the password hashes with their own user database, and verified that these are for actual LinkedIn accounts. Given that someone breached LinkedIn and copied account details from a database, LinkedIn must be investigating how this happened. LinkedIn should be advising that all users should reset their passwords, given that it is likely that far more than 6.5 million accounts were compromised.
Linkedin also stated that “members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.”
Either LinkedIn introduced salting before the breach, in which case the attackers will likely have email addresses, salts and hashes that can still be cracked, or they introduced it afterwards, which means that the attackers still have valid passwords. In either case, this only means the user will have a salted hashed password if they changed their password recently. Unless LinkedIn cracked the easy ones themselves to do the salting!
Hopefully over the next few days LinkedIn will provide further information on the breach and also require all LinkedIn account holders to change their password who have not done so since the breach.
UPDATE (11:29): After a bit more research, the half of the list with prefix “00000” seem to be the hashes that have been cracked so far. For example, the SHA-1 hash for “123456” is “7c4a8d09ca3762af61e59520943dc26494f8941b”, and replacing the start with 5 zeros gives “00000d097c5c715d253c9e9fea40abcff7bd0e03”, which is in the password hash list. Other examples which have been cracked are “Password1”, “qwerty”, “sunshine” and “linkedin”.
This means that this may be the whole list of unique hashes. Given that many users will use the same weak passwords, the total number of compromised accounts may still be much higher than 6.5 million. LinkedIn seem to have checked the valid hashes so far. LinkedIn should also check their password hashes against the zero prefix hashes.