LinkedIn password breach: How to tell if you're affected
Summary: Bad news: LinkedIn suffered a data breach of 6.46 million passwords. The good news is you can quickly (and securely) check to see if your password leaked online.
LinkedIn customers are still reeling after the news broke that hackers had accessed a vast cache of passwords to the "professional social network".
More than 6.46 million people are thought to be affected or around 5 percent of the site's 150 million users. LinkedIn eventually confirmed a breach and said affected users would have their accounts locked, and an email would be sent out asking for a password change.
Users are advised to change their LinkedIn password immediately.
In cases like this, it's often tricky to know whether your account details have been leaked without downloading the dump file and trawling through it. Thankfully, "there's an (web) app for that."
Developers Chris Shiflett, Sean Coates, and Bedrich Rios developed in only a few hours a way to check to see whether your LinkedIn password had been leaked. After the discovery, he took the dump of passwords --- since removed from its original location, though still widely available on the Web --- and created LeakedIn.org.
Simply type in your LinkedIn password and it will tell you whether you're in the unlucky 5 percent.
I know what you're thinking: "Type in my potentially already leaked password into a random site? You have to be kidding." The site uses JavaScript to hash your password, and because it uses only client-side code, your password never actually leaves your computer.
Of course, this is merely a way of seeing whether your password was breached. Other services are popping up around the web. Another from LastPass also works effectively, and many may feel more comfortable using a tool from a company they already own products from.
These password checkers in reality give you two options:
Firstly, it sends back a clear message on whether you need to change your LinkedIn account password --- which you are advised to do anyway. It's safe to at least assume the hackers have your corresponding email address as well, though this has yet to be confirmed by the company.
Secondly, if you happen to use that password on another service, a nod to change that service's password too. It's never a wise idea to use the same password twice in case one account is breached --- despite most people doing so --- so stop reading this and go and change your password.
Image credit: LeakedIn.org/ZDNet.
Related:
- 6.46 million LinkedIn passwords leaked online
- CNET: LinkedIn confirms passwords were 'compromised'
- What to do if your LinkedIn password is hacked
- LinkedIn updates apps in response to privacy concerns
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Sending even a hashed password over the net is a risk
Re: Sending even a hashed password over the net is a risk
@ everyone else - some other sites are reporting that the 6.5 million passwords that were posted seem to be the ones that were more difficult to break. One article reported that common passwords are missing and that there are no duplicates (I haven't verified that by checking the file myself). If that is the case then it's not safe to assume that your password is safe just because it's not in the dump. It could have just been easy to crack. So, like ZDNet said, change your password! You have nothing to lose by doing it, but potentially a lot to lose if you don't.
Only OS X users would be foolish enough to fall for this
Encouraging people, especially OS X users, to enter their passwords on a strange website is the height of foolishness. You have [b]no[/b] idea if that website is doing only what it says it is doing. All this talk of your password being "stolen" in transit is a red herring. The real danger is that the average dumb OS X user has no way of telling that leakedin.org is "safe" and leakedpassword.com is "unsafe".
But as I wrote on David M's blog, OS X users have this fanatical belief that they are safe from everything on the Internet. Apple told them so.
OK fine but does this really prove anything?
It only proves that if in fact those passwords were leaked, they now have a good dictionary to crack against... but since there's no proof that they also have my corresponding e-mail address, it's meaningless until then?
I assume LinkedIn has a certain measure of security in that would prevent a massive dictionary being ran against my account until they've gone through all of those 6.5 million users' passwords (or the 300,000 that they've actually decrypted the one way hash on, presumably by a dictionary -> hash match)... so even if they did do a dictionary attack it would be difficult and time consuming. This doesn't seem to prove too much other than yes, you should have a non-easy-to-guess password to begin with.
Or is there something I'm missing here?
2 problems with this
First there is the immediate danger which is that the website operator now knows your linked in password and your IP. If your password was not compromised, it soon could be.
Second there is the general danger of encouraging people to enter their passwords on websites that are going to "check" that password for "goodness". Even if we ignore the immediate danger above because we are savvy enough to know that there is no danger, more naive users will be less cautious when it comes to entering their passwords on other sites that aren't associated with the account that password is for. They can't make the informed decision that leakedin.org is safe but leakedpassword.com isn't. You are encouraging a dangerous habit in a group of people (OS X users) that already have some of the most dangerous habits on the Internet.
Not good.
..and?
Who cares if they have my IP. I don't run the web site on my IP, which also is egress shared by thousands of others as it is. They aren't going to be able to figure out my user name from my IP very easily, nor would most care to take the time to when there are so many other items that are easy to obtain from others.
About that preventing dictionary attacks part.......
That's what you assumed, and that's what I assumed, and we both assumed wrong. Turns out that LinkedIn couldn't be arsed to salt their passwords, and are now vulnerable to precomputed hashes. You can find rainbow tables for all SHA-1 hashes under 7 characters long quite easily over at http://www.freerainbowtables.com/en/tables2/.
Sophos claims that over half the passwords have already been compromised with these types of attacks, and quite frankly, I'm not surprised. Rainbow table attacks are brutally fast since everything's been precomputed.
http://nakedsecurity.sophos.com/2012/06/06/linkedin-confirms-hack-over-60-of-stolen-passwords-already-cracked/
But of course, without corresponding login information, these passwords are fairly useless. I haven't seen anything confirming or denying the presence of login info yet :\
so they lock your account out after x failed attempts, or present CAPTCHA?
Once you have the hashes, it doesn't matter.
Now, the hash files aren't quite like a guest list, because they're hashed, but once it's out in the open, it's only a matter of time before the passwords are cracked. Now, with proper precautions, that time can be something like 5-6 years, which is plenty of time to get the warnings out, but it looks like LinkedIn didn't do that, and over half the stolen passes have been cracked already.
Now, if they know which usernames were linked to which hash, they already have the login information they need. If they didn't things get a lot murkier--I'd hope that LinkedIn would make you wait 30 minutes after 10 failed logins or whatever, but I also would have hoped that they salted their hashes....
@chipbuster... that's the thing--no user names are associated to the passwo
So they don't have that your user name is john.doe@gmail.com and password is Hollywood1 .. they just have a list that includes California3 Mysterious9 Hollywood1 Bolingbrook etc etc..6.5 million different passwords, half of which the hashes have already been matched (and the others are continuing... there's an interesting article 'how charles dickens helped crack your LinkedIn password' out there--adding to the dictionary hash by going through his literature).
There are rumors that they also have a list of e-mail addresses but I don't think LinkedIn confirmed that, and it was not cached in a manner that the two lists were associated even so from the vague details given, so it too is just merely a list (a list that even if they didn't have, would be somewhat easy to get by the nature of LI).
So to have any value, even with the 3 million passwords they would have to cycle through each of those on each account to actually figure out that it's your exact password.
Re: OK fine but does this really prove anything?
What would anyone do with Linkedin.org passwords anyway? Get Bored?
Having Alureon.DX with your browsers set up with proxies in Russia is noteworthy. However, it doesn't get much press here at ZDNet, like trying to find a TDL-4 article by self proclaimed "security expert" Ed Bott.
related accounts
Could be just a way to get more traffic
Where did the data reside?
Are you sure it works?
Worked for Me
tinaturner failed
householditem passed
*
About half of my suggestions made it (the ones I thought would, in fact)
And about half didn't (and shouldn't have).
What? Give your password to someone else?
First thing I did when I heard about Linkedin's breach was to log into my account there and immediately change my password! That took only a couple of steps and I was on a site I had bookmarked.
I just do not get this article and its recommendations. It appears to go against every good practice.
And before everyone does the @username, do not waste the time. I will not be back in this thread. Reading comments in cnet's forums that have that are laughable.
inside job . . .