Report: 6.5 million LinkedIn passwords stolen

“Wednesday brings reports of further security woes for LinkedIn, as Norwegian site Dagens IT carries a warning that 6.5 million encrypted passwords from the professional networking site have been posted to a Russian hacker forum,” Electronista reports.

“The passwords are said to be in an easily-crackable encryption format, and the files posted to the hacker site may contain user data as well,” Electronista reports. “In a post this afternoon on the LinkedIn Blog, the company confirmed that some LinkedIn account passwords had been compromised.”

Electronista reports, “LinkedIn has deactivated the passwords for affected accounts and sent out an email for the owners of those accounts to reset their passwords… Further, LinkedIn noted that the site has recently implemented improved security protocols. Passwords for LinkedIn accounts are now encrypted in a manner that includes both hashing and salting.”

Read more in the full article here.

22 Comments

  1. “The passwords are said to be in an easily-crackable encryption format”

    That’s completely false unless you used a dictionary word or something very close to one. SHA-1 is a hash which can’t be reversed. it is subject to a rainbow attack, which requires a predefined dictionary. If you’re password isn’t in their dictionary it will never be cracked (at least in the next few years). If it is, then shame on you.

    1. Say what now?

      Linkedin used unsalted SHA-1 (broken) hash function. Except for MD5 that’s about the least secure thing Linkedin could’ve possibly done. I’ve got a Polish guy at work who I’ve seen break one of those (legally, for our client) in mere seconds. Heck, my own merely average computer can check abut 680 million possible passwords per second. Most people use obvious passwords or simple enough passwords that cracking *is* easy.

      I ran a quick hash on my own password and checked that result with leakedin.org and my original password has already been posted and cracked. If you have a linkedin account change your password, now. Every single one of those passwords that’s been cracked (easily) just gets added to existing rainbow tables and if you use that password anywhere else you’ve made it easier for hackers everywhere to crack the next target.

    1. … street-slang (rustic north, 40 years past) but have been thinking about basing a new set on Gaeilge. With additional hashing, of course … don’t want things to be TOO easy.
      😉

  2. ” easily-crackable encryption” wow. this idiots at LinkedIn!
    any social site, since they have so many users, should be ashamed and boycotted for disrespecting their users, their livelihood, if they use weak encryption.

    how could LI use such cheap encryption?!

    no wonder, Apple has such loyal fans, they respect clients more. so whoever shouts at Apple for “closed” systems, should suck a droid and shut up, because shouldn’t one rather be in peace of mind & productive than fidget with viruses or crashes?! life’s too short for anything less!

    technology has no point if it encumbers & suffocates or wastes any time!

  3. Are we CERTAIN this is for real?

    I have two accounts on Linked In, and I didn’t get any emails from them. But I DID get a number of emails today that are CLEARLY spam asking if I want to reset my Linked In password.

    Since hacking is all about social engineering, I’m wondering if this story itself is part of the hack? If it is, it’s pretty ingenious, I must say.

    Fortunately, my Linked In password is unique to that site, and won’t get anyone anywhere. My wife, however, uses her LinkedIn password on a number of different sites (none of which involve banking, fortunately).

  4. MD5 and SHA-1 are both known to be broken. Why anyone would use them is beyond me … especially unsalted. SHA-256/224 or SHA-512/384 salted would have been a better choice, or better yet, algorithms like PBKDF2 and bcrypt are even better (both of which add time to calculating a digest, meaning rainbow table attacks at only 2 attempts per second are utterly worthless).

    1. Should have added to @JM that some reliable crypto sites are already reporting that it’s known that more than 3.5 million of the nearly 6.5 million passwords dumped have already been cracked. That’s how easy SHA-1 unsalted is to crack. I expect by morning they’ll all be done.

  5. So NOW they are salting their passwords. That makes me feel REAL confident. Idiots.

    Now I have to change my password there, and and any other website I used the same password and log in with an email listed on Linked In. I don’t reuse passwords for banking and online stores, but there’s still a many websites were I prefer to reuse an easy to remember password just because it’s easy.

    If you don’t know, salting is just adding random characters to passwords before encrypting it. That way, stealing the encrypted password and breaking the ecryption aren’t enough to figure out the password. It’s user authentication 101, and it only takes at most 15 minutes to program. There’s no excuse for a major website with millions of users to not do it.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.