Hacker, Researcher and Author.

LinkedIn Breached, Violated, Squashed - 60% Passwords Stolen and Cracked




Attention LinkedIn users, your privacy has been breached. Millions of internet users can now see your password posted online. We request you not to be under false pretences that you are safe from this epidemic. LinkedIn has already confirmed this news and has stated that passwords that are reset will now be stored in a salted format, which technically means that passwords are in an encrypted format AND adjoined with a random bunch of characters to make the password-cracking process a pain-in-the-neck for the hacker. An example of a salted password can seen in the image below.



LinkedIn users must be in tantrums, screaming at the top of their lungs asking, "Why God? Why?", and some pessimist peers of ours repeating the same two words over and over while cradling themselves in their arms, "Why me? Why me?", Well, Imperva has an answer for you which makes a lot of sense, even if it doesn't fix things (sorta).

According to Imperva:

  • The passwords weren’t properly protected.  The hashes, in geek speak, were unsalted sha1 hashes.  Not salting is a bad practice that we detailed in last month’s report on the Militarysingles breach.   Salting, in layman’s terms, complicates the process of a hacker cracking a password.  Not only do you encrypt the password, but append it with a random string of characters so even if those passwords are revealed, they look like gobbledygook.
  • LinkedIn was probably breached but the password database doesn’t indicate this specifically.  Many of the passwords contained a high volume of the word, or a variation of the word, “linkedin”.  This indicates that the pool of passwords comes from LinkedIn, though the hacker hasn’t specifically made such a connection.  The password set shows:
    • 13 passwords contained “linkedin”
    • 509 passwords contained “linked”
    • 1134 passwords contained “link”

Imperva suggest that the list of the security breach could be much larger than the already whooping number of 6.5 million. They have provided two reasons for their theory:


1. The list doesn't have any easy passwords such as 123456 (which is the most used password in the history of passwords) included.

2. All passwords are listed only once, leaving us to a guessing game wondering how many times was a certain password used.

After this massacre, SophosLabs geniuses did a little research of their own, testing which passwords were commonly used among the 6.5 million users and should never be used by anyone. Their study suggested that only 2 passwords of the 6.5 million passwords were unique and not used by anyone else. "mypc123" and "ihavenopass" are the lucky winners of the day. Unfortunately, these, too, were cracked and exploited. You can also find our list of top 50 passwords that can get you hacked instantly here.



SophosLabs suspects:


"After removing duplicate hashes, SophosLabs has determined there are 5.8 million unique password hashes in the dump, of which 3.5 million have already been brute forced. That means over 60% of the stolen hashes are now publicly known."

LinkedIn is in the loops of sorts trying to investigate how far the hackers went in their joyride. It is highly possible that email addresses and personal information was also stolen in the process.

God bless LinkedIn for not salting the passwords. Us bloggers do need to blog about something, right? If you need to feel secure and create a strong, unbeatable, indestructible password please click here.

About The Author


This article is written by Sindhiya Javed Junejo. She is one of the core members of RHA team. 

4 comments:

  1. Rafay, Is there anyway to check whether you're account was hacked or not?

    ReplyDelete
  2. @Hamza Azam

    If you have enough time on your hands, You can randomly check it from the published list online. However it's strongly recommended to change your password as your hashes will now have salts on them.

    However there is a website that claims to have 6.5million passwords stored, You can confirm if your password was leaked by entering the password into the following website:
    http://leakedin.org/

    ReplyDelete
  3. so if i change my pwd so my account will me more secure than now ???

    ReplyDelete
  4. how can i decrypt that password which is published in encrypted form

    ReplyDelete

© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.