6.46 million LinkedIn Password Hashes leaked Online!

[garyopa]

An unknown hacker posted the list online and asked for help in cracking them.



LinkedIn is still investigating the reports, and has been unable to confirm any security breach yet!

Looks like an 'unknown hacker' on a Russian forum, claimed to have hacked LinkedIn to the tune of almost 6.5 million account details.

The user uploaded 6,458,020 SHA-1 hashed passwords, but without usernames. Also, the user is asking for help to uncrack [these] hashes...

The massive dumps over the past three days came in postings to user forums dedicated to password cracking at insidepro.com. The bigger of the two lists contains almost 6.46 million passwords that have been converted into hashes using the SHA-1 cryptographic function. They use no cryptographic "salt," making the job of cracking them considerably faster. Rick Redman, a security consultant who specializes in password cracking, said the list almost certainly belongs to LinkedIn because he found a password in it that was unique to the professional social networking site. Robert Graham, CEO of Errata Security said much the same thing, as did researchers from Sophos. Several Twitter users reported similar findings.

"My [LinkedIn] password was in it and mine was 20 plus characters and was random," Redman told Ars. With LinkedIn counting more than 160 million registered users, the list is probably a small subset, most likely because the person who obtained it cracked the weakest ones and posted only those he needed help with.

"It's pretty obvious that whoever the bad guy was cracked the easy ones and then posted these, saying, 'These are the ones I can't crack,'" Redman said. He estimates that he has cracked about 90 percent of the hashes over the past 24 hours. "I think the person has more. It's just that these are the ones they couldn't seem to get."

According to LinkedIn, they are still looking into the matter. So, basically, they don't know how they manage to do so.

LinkedIn, which has over 150 million users, has not released a formal statement, but tweeted: "Our team is currently looking into reports."

Later, it added: "Our team continues to investigate, but at this time we are still unable to confirm that any security breach has taken place."

Well, the general advise is "to change your LinkedIn password. And if you use the same password on other accounts, change it there too."

Additionally, looks like another list contains about 1.5 million unsalted MD5 hashes from "eHarmony":

The smaller of the two lists contains about 1.5 million unsalted MD5 hashes. Based on the plaintext passwords that have been cracked so far, they appear to belong to users of a popular dating website, possibly eHarmony. A statistically significant percentage of users regularly pick passcodes that identify the site hosting their account. At least 420 of the passwords in the smaller list contain the strings "eharmony" or "harmony."

The lists of hashes that Ars has seen don't include the corresponding login names, making it impossible for people to use them to gain unauthorized access to a particular user's account. But it's safe to assume that information is available to the hackers who obtained the list, and it wouldn't be a surprise if it was also available in underground forums. Ars readers should change their passwords for those two sites immediately. If they used the same password on a separate site, it should be changed there, too.

eHarmony officials didn't immediately respond to a request for comment.

The users are still trying to crack all of them!

The InsidePro postings provide a glimpse into the sport of collective password cracking, a forum where people gather to pool their expertise and sometimes vast amounts of computing resources.

"Please help to uncrack [these] hashes," someone with the username dwdm wrote in a June 3 post that contained the 1.5 million hashes. "All passwords are UPPERCASE."

Less than two and a half hours later, someone with the username zyx4cba posted a list that included almost 1.2 million of them, or more than 76 percent of the overall list. Two minutes later, the user LorDHash independently cracked more than 1.22 million of them and reported that about 1.2 million of the passwords were unique. As of Tuesday, following the contributions of several other users, just 98,013 uncracked hashes remained.

While forum members were busy cracking that list, dwdm on Tuesday morning posted the much larger list that Redman and others believe belongs to LinkedIn users. "Guys, need you[r] help again," dwdm wrote. Collective cracking on that list was continuing at the time of this writing Wednesday morning.

So hurry up and change your pass if you have accounts on these sites!

NEWS SOURCE #1: 8 million leaked passwords connected to Linkedin (via) ArsTechnica
NEWS SOURCE #2: Linkedin password leak online (via) TheVerge

Our thanks to 'Gauss' for this news item!

[GaussTek]

An update:

LinkedIn just confirmed the security breach, they said 'some passwords' were affected? This is their official statement:

An Update on LinkedIn Member Passwords Compromised


We want to provide you with an update on this morning's reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:


1. Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.

2. These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.

3.These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.


It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.


We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously, if you haven't read it already it is worth checking out my earlier blog post today about updating your password other account security best practices.

Source.