An archive reportedly containing the hashed passwords of more than six million LinkedIn accounts is circulating online. LinkedIn says it is still investigating the claims, but if you use LinkedIn, you may want to take a moment and change your password.
For those who wish to follow along, there are lengthy discussion threads on Reddit.com and ynewscombinator on the claimed password breach, which appears to have affected a small subset of LinkedIn’s user base of 140 million+ users. A number of my sources are now reporting having found their passwords in the archive.
A spokesperson at LinkedIn referred me to the company’s Twitter feed — @Linkedin — which states, “Our team continues to investigate, but we’re still unable to confirm that any security breach has occurred. Stay tuned.”
Update, 3:42 p.m. ET: LinkedIn just published a blog post acknowledging that “some of the passwords that were compromised correspond to LinkedIn accounts.” The company said affected members will find that their account passwords no longer work, and that these users will receive an email from LinkedIn with instructions on how to reset their passwords. LinkedIn cautions that there will not be any links in the emails, and that users should never change their passwords on any website by following a link in an email. LinkedIn also said affected users can expect to receive a second email “providing a bit more context on this situation and why they are being asked to change their passwords.”
Original post:
If you used your LinkedIn password at any other sites, you’ll want to change those passwords as well. For that matter, it’s a good idea to avoid sharing passwords between sites, at least those that hold potentially sensitive information about you.
For tips on choosing a good password, see this primer.
Also, my site is once again the target of a distributed denial of service (DDoS) attack. I am working on a more permanent solution to mitigating these attacks, but I mention this because several features of this site may not work as intended for the time being, such as voting on comments, RSS and the mobile version of this blog. Sorry for the inconvenience, folks.
Regarding dealing with DDOS, personally I’d like to read your full post in email so the web site is not must-on for readers. Of course you could put all the links to the email as the web page.
This is the reason I subscribe to KrebsonSecurity on my Kindle. It downloads all of the information onto my Kindle for me to read even while offline.
LinkedIn…
Revenue: $522 million (2011),
Employees: 2,447 (2012),
Slogan: Relationships Matter
… referred YOU to their Twitter feed? (*rofl*)
😉
Thank you for the heads-up, BK. Good luck with gremlin-proofing your website.
When I view the message from Donna, I see links, including this one:
—-> Change Your LinkedIn Password Now <—–
(http://LinkedIn-Makeover.us2.list-manage1.com/track/click?u=…………………&id=……..ee……..29&e=…..).
Of course, I didn't use the links in the message.
Hi,
Maybe a heretics idea, but I am not so sure about this change.
If I am LinkedIn user and have a good password (I mean one that is very long, with small and big letters, digits, special codes, etc, in it) and know, that whoever the attacker is they are using brute force (or rainbow tables if they some for lets say 12+ characters long passwords), then I can see no benefit from changing the password now.
Why?
Because I can see no sign/confirmation that LinkedIn already know how it was hacked and if the backdoor/ vulnerability/ hole/ malitious_insider have already been contained.
In my oppinion, having good unchanged password (even if its hash possibly leaked out) is better than risking, that there is some change_your_pwd_now_logger installed somewhere in their system, which can give the attacker easy way how to eliminate the need to fiddle with brute force or rainbow tables for passwords of all people who attempt to change it.
In short: Why shall I secure my password in that system, when I can not trust the system itself?
Well, this is all based on assumption, that the original password was very good. And if not? Then also make little sense to ask people to change it … because people who used bad passwords before will also use bad password afterwards.
I am afraid, that this blind “change your password now” will only lead to many successful phishing attacks but not to any improvement of the situation.
But of course, after LinkedIn confirms, that the problem is solved and they started to salt all hashes, and implemented password quality meter (like in Lotus Notes or PGP for instance) and automatically un-accept too stupid passwords then it makes sense to go for a new password.
What would make sense is to change passwords in all systems, where the user uses the same password (that is stupid but it is reality) immediately.
Cheers
Your comments are spot on Doomek! In my kindle ebook I support the idea of of strong unique passwords that do not require changing. Furthermore, the book supplies all necessary encrypted data – Create Secure Passwords Easily!
We know passwords have been stolen. It seems very likely that email addresses were stolen too as it’s hard to come up with a reasonable situation where one would be available without the other.
We don’t know the attack vector.
Therefore, changing your password (everywhere you use it in conjunction with your linkedin email address, not just on linkedin) is better than not changing it.
If they’ve managed a one-off grab of passwords, then you’ve saved a potential compromise or further compromise. If the exploit is still current, then you haven’t made anything worse.
Thanks as usual for the info. Anyone requiring guidance on passwords can take a look at my kindle ebook, Create Secure Passwords Easily, it will supply encrypted data for all accounts.
The problem is the exploding number of places requiring passwords with different change policies, with insane (when combined with the policy) strength requirements.
Our $Corp policy is: at least 12 characters long, letters, numbers, special characters uppercase and lowercase. Which makes for a nice strong password . Except we have to change it once a month. Unless there’s a breach, in which case we may have to change it immediately. Oh, and don’t record it anywhere…
Fortunately they only check to see if a few characters change from month to month.So I do “base passphrase+mm+yy+special char over the second month”. That base passphrase is used everywhere. Base password, too. That way I don’t have to walk around with a laminated card listing system:user:password…
A (growing) list of bad password policies form a variety of companies in a variety of industries.
http://kottke.org/12/06/the-worlds-worst-password-requirements-list
When a site’s password requirements say your new password can’t be too similar to a previous password, aren’t they admitting they’re being stored unencrypted?
No, they’re saying that if the password is compromised it’ll be added to the dictionary and obvious variations will be autogenerated.
“The company said affected members will find that their account passwords no longer work, and that these users will receive an email from LinkedIn with instructions on how to reset their passwords. ”
Well, I can tell my password hash is in the circulating list, but I didn’t get any word in any form from LinkedIn, and I just logged in with my leaked password.
I thought that was a pretty good response from LinkedIn, if a bit slow, but like you, I found my password hash in the list. I’m very confident that my password is unique but I was also able to log in and I’m still waiting for my email.
Has anyone received the email and/or had their account disabled?
I too found my password in the hash, and heard nothing from linkedin. Possibly because I’d already changed my password?
Easy way to find out is at LastPass’ new LinkedIn page…
https://lastpass.com/linkedin/
…or their eHarmony page (uses MD5 hash instead of SHA-1)
https://lastpass.com/eharmony/
FWIW, I found the hash of my PW in the dump, but have yet to receive an e-mail from LinkedIn.
Hey Brian, could you give us the specifics of the types of DDOS attacks you’re getting? DDOS isn’t really one of my specialties. In the event I look into countermeasures, it will help to know the specifics thing to counter.
Thanks Brian!
As for the DDoS at your site, I wonder if its zombies? I was reading a link about how another site noticed once it was posted to GoogleNews, a bunch of hits were flooding in.
Read this link for specifics and how they resolved it
http://tidbits.com/article/13022
Finding much on “dwdm” yet? Let’s hunt.
Last.fm is asking users to change passwords, and hackers were trying to take advantage of a second similar music site as well. I wonder if this is similar to the Gawker hack where they try usernames and passwords on similar sites (after they are cracked).
“LinkedIn cautions that there will not be any links in the emails, and that users should *never change their passwords on any website by following a link in an email*.”
So when I submit a “Forgot Password” request at LinkedIn, I shouldn’t click on the link in the email that LinkedIn sends me? Good to know.
“…have affected a small subset of LinkedIn’s user base of 140 million+ users”
AFAIK leaked base contains 6.5m UNIQUE hashes. How many unique passwords have 140m users? Not 140m. I’m afraid that file has much more then “small subset” of all passwords
Not necessarily. I encourage all of you to look up the linkedin report on lightbluetouchpaper. One thing they mentioned is the uniqueness means they might have run it through ‘uniq’ to reduce the damage done by leaking it. There were some other interesting statements over there.
How filtering off duplicates of unique passwords will reduce damage?
And who want to reduce damage? Hackers, who posted it and asked for help to crack such a big list? 🙂
I gave u source in case i misread or u wanted evidence. Lightbluetouchpaper is top research group. Check their site better use of ur time. I can type only so much in tiny box on fone.
“Most likely, the leaker intentionally ran it through ‘uniq’ in addition to removing account info to limit the damage” – this is utter bullshit.
‘uniq’ tool is just removing duplicates. It’s always used before cracking to speedup process. How it will limit damage? Why hacker want to limit damage? WTF?
It’s absolutely clean: they got the base, they strip names from name-password pairs, they asked for help to crack 6.5m hashes on forum. No risk at all – decrypted passwords are useless without names. Community helps with cracking, hackers have decrypted passwords and names. Bingo.
Also, about 45% of the hashes (by my count) start with 00000. The hash for “password” doesn’t show up in the database, but the hash for “password” with the first 5 characters changed to 0 does. It’s likely that those zeroed hashes are the ones which have already been cracked.
Some DDOS tricks for you Brian. Im at work on a fone so this is the best i can give u for now.
http://www.nbs-system.com/blog/ddos_counter_measures.html
as for your ddos problem… move to to cloudflare.
Good stuff from Brian and all the commenters.
For many years, my passphrases on various sites, 18 – 20 characters long, complex as the sites will allow.
Many sites however, are just stupid – they cap passwords at 10 – 12 chars and only use letters & numbers, no spec chars….
Personally, I’d rather have a longer passphrase than a short password that can be cracked with rainbox tables…
— I just hope that all the sites I use are encrypting their password files…. ;-[
The is also the issue of people who must enter passwords in a crowded area. If there is no way to enter a password on a two-handed keyboard without people looking over your shoulder, the best solution is a very long password that you have practiced enough to type it very fast, so an observer or even a cell-phone video won’t capture it. In order for the average person to type that fast, even if they know how to touch-type, making them change passwords frequently is counterproductive.
A more interesting issue is fingerprint scans. The fingerprint can’t be changed, of course. And it has to be converted to a digital signature, so it would be susceptible to cracking.
MOST EXCELLENT point!
Busy, crowded areas – OPSEC…
I have one laptop with a fingerprint scanner but the other is not – my next new PC will have a scanner on it so I will not have to type in passphrases in public areas.
Now I just have to ensure, as you pointed out, that that digital algorithm is encrypted…
Did they fix the known issues?
There seems to be at least 3 – iphone app, android app, and however this 6M ID leak happened.
Nobody is saying about the fix.
How do we know we won’t be back next week since this could be a persistent issue?
Here’s a good analysis I found: http://www.bkeyes.com/blog/?p=167
She mentions the list of passwords blocked by Twitter as if they are a list of most-used passwords. From the look of them, they include a list of passwords used by spammers using a popular robot-registration program to create fake accounts. I wonder how long that block list slowed them down?
Good to get this word out – I notified the people on the two LinkedIn groups I manage a few days ago.
But your password primer is out of date –
>Do not use words that can be found in the dictionary.
This includes any dictionary, any type, any language, any century including “dictionaries” of places/characters/sayings in TV shows, movies or books, common misspellings, any town in the U.S. with a zip code, famous sayings, etc etc (i.e. OpenSesame or Letmein,Blink182 or NCC-1701).
> If you must use dictionary words, try adding a numeral to them, as well as punctuation at the beginning or end of the word (or both!).
Actually, this is not enough. Numerals/chatacters attached before/after are in hacker dictionaries too – along with “simple substitution” that people do (3 for e, ! for l, etc). I used to use “paladin73′ until I sat in my Information Warfare grad class and found out that it would last about 3 seconds with even a low level kiddie hacker program.
> Use passwords that are at least eight characters long.
The minimum 8 character rule was blown away long ago. anything shorter than 15 characters (unless they use the more obscure characters on the keyboard) is already in a readily available rainbow table.
> If you have trouble remembering your passwords, try replacing certain letters in the word with look-alike numbers.
Again well known “simple substitution” trick and many people develop short passwords and assume they are more secure because they do this (longer is better, longer is better). I find the easiest way to remember a password is to actually use a “pass phrase” as in the phrase from a song. It’s a LOT easier to remember a song/song tune than a password – i.e. Maryhad@littlelamb, – 19 characters and easy to remember! I could make it more challenging by “toggling” the case (mARYH..) or adding the more obscure keyboard characters (Mary:had:..) ( @, !,$, * and # (in order) have been reported as the most common characters used, BTW).
Now pretty good advice about writing down passwords. But I suggest that in addition to having a readily available password hint list that only you can figure out, it’s a good idea to have a sheet in a safety deposit box or with a lawyer stating what these hints mean. This is in case of a major accident or illness (think brain injury/stroke), a responsible second party wil be able to access the necessary sites to pay bills online, etc.
Magnificent idea regarding the safety deposit box idea.
Also, for use in estimating how long it would take to crack your own passwords, here is an online brute force calculator:
http://www.mandylionlabs.com/documents/BFTCalc.xls
(I do not work for them nor have any affiliation, not with where I work but I do use this for my own password creation at home away from work.)
Apologies if someone else already mentioned it.
I just checked that website and put in a few knowns. As usual, this might give a false sense of security because it appears that “Supercalifragilisticexpialidocious” would never get cracked!
Hilarious….!!! I Love it. Good one.
However, sadly, very true.
I would hope though, someone using it, would plug in attttt least one digit or spec char (in the middle somewhere) to put a fly in the ointment.
— I just know that I’m not gonna plug in a 34 char passphrase – that is rather long for my taste, well maybe in the far distant future ….
Good info, I just changed lastpass to generate 16 character passwords with special characters, both were less secure with default settings.
Question – if these hackers are getting hashed passwords, wouldn’t that mean that they have breached into the database, and have a lot more info than we know about? Associated usernames, card holder data, etc? Has anyone seen any rise in carders selling this data?
So who else thinks the posting of the hashed passwords from LinkedIn and eHarmony are a way of password crackers to expand their ‘dictionaries’ of “common” passwords, enabling cracks on other sites, for example free email providers such as AOL, YAHOO, and Hotmail?
With that thought, can anyone rank which popular sites are most susceptible to dictionary password cracks? I’d be interested in things such as how many tries it takes? For example, AOL email may limit you to 5 or 10, but perhaps AIM (which uses the same screen name/password) is unlimited? A corollary list would be sites with excellent security practices.
Well, when this news broke, I used the “LeakedIn” site to see if my password was one that was available in the hashes. It wasn’t.
Well, I changed my password yesterday anyway since how do I know who “LeakedIn” actually is. 🙂
Despite being a “computer security professional”, I DO re-use several different passwords. I probably need to stop doing that, start using KeePass (and KeePassX on Linux), and reset ALL my passwords.
Let’s face it – using a different password on every system is insanely difficult even if you’re using a utility since using a utility simply isn’t feasible in every circumstance.
There are “systems” people use for “generating” a memorable password for every individual need which supposedly can be made to work.
In the end, though, I suspect what you need to do is use an insanely strong password (or passphrase) for your MOST critical assets (your banking and your main PC – and perhaps the portables like your tablet and your phone) and use a single less strong password for everything else which is not critical.
People worry over someone taking over the Facebook page. I mean, who cares? IT’S FACEBOOK, not your bank account! Sure a hacker can use the info there to compromise you. But he can get that anyway from a million online information brokers. So what if he defaces your Facebook page? You’ll live…
My meme remains the reality in all cases:
You can haz better security, you can haz worse security, but you cannot haz “security”. There is no security. Deal.
Richard, people SHOULD worry about their Facebook accounts, or any other account (other social media, email, etc) which has CONTACTS associated with it.
I’m sure one of the targets of the LinkedIn/eHarmony was to expose passwords which social engineering tells us are likely re-used on other sites, such as email or Facebook. I expect we’ll see an increasing number of SPAM and other messages which appear to come from a trusted source — one of your contacts — making the recipients more likely to click on a contaminated link.
If your trusted contacts aren’t secure, then you and others are subject to increasingly sophisticated social engineering attacks (fake email from UPS package delivery, Southwest Airlines reservations, et all) bringing more SPAM and Malware.
While LinkedIn is taking care of having their users change LinkedIn passwords, the NEXT task is for users to change passwords on other sites which shared the LinkedIn password – to something strong OTHER than their new LinkedIn password!
Oh, I agree that one of the problems with such a compromise is that is enables OTHER compromises.
But this is, as my meme says, fundamentally an unsolvable problem.
There will ALWAYS be a way to compromise a system in such a way as to compromise ANOTHER system. And indeed there will almost always be at least TWO ways to compromise the first system.
In the end, the only security for your trusted contact is…not to be a TRUSTED contact. There is no such thing as “trust” because there is no such thing as “security.”
Oh, and keep in mind what you’ve effectively said: that an EMAIL can be “trusted”.
A “trusted contact” is someone I’m standing in front of who I’ve known for a long time and has never screwed me over. And hopefully he doesn’t have a stash of kiddie porn or is a deep undercover Mossad spy…to comment on what extent anyone can be “trusted”…
An email is just that – an email. An email can never be “trusted”…
As the guy in the Syngress hacker books said, “No one is paranoid enough.”
It’s not as important about computer & security professionals not trusting emails & contacts. We’re talking about the MILLIONS of average users out there who don’t know any better, aren’t we?
That’s exactly who I’m talking about.
Everyone needs to stop trusting and believing in the notion of “security”.
But as long as IT security people don’t realize the depth of the problem, the end users won’t either. Most IT security people will casually admit that “there’s no such thing as 100% security” – but the issue is much worse than that. And I don’t think most IT security people really understand that.
This leads directly to the mostly ineffective approaches that are prescribed. Of course, a lot of the reason these approaches are ineffective is due to senior management’s lack of understanding, but that goes right back to the overall lack of understanding of just what constitutes “security” in the first place.
Everyone needs to ingrain my meme in their subconscious and start reasoning out the corollaries. and applying them to their approach to security.
Oh, and I do sometimes use pass phrases from songs from bands I like – who are not the most popular bands either. 🙂 They’re easy to remember and very likely NOT in ANY hacker password database – yet anyway.
Until someone else uses them, of course. I wonder how long it will take with a billion people creating multiple passwords before EVERY possible pass phrase is in a database.
it’s like the million monkeys typing problem… Actually it IS the billion monkeys typing problem! 🙂
Crypto expert and creator of md5crypt Poul-Henning Kamp on LinkedIn’s mistakes…
LinkedIn Password Leak: Salt Their Hide
http://queue.acm.org/detail.cfm?id=2254400
Now THIS is what I’m talking about (re online password setting)! Funny…if you’re an IT security guy anyway…
The Frustrations of Resetting Your Password Online [Video]
http://www.howtogeek.com/115864/the-frustrations-of-resetting-your-password-online-video/
My password wasn’t one of the leaked ones. It’s also nice to know that among 6.5 million unique passwords, no one had picked the same one as me, either.
With all the big shots in commerce and government putting their titles to their powerful jobs there, this could be a nation state attack. Those some people use the same password to their other accounts, too. What a booty for a cyber criminal. Change your passwords!