LinkedIn password breach: How to tell if you're affected

LinkedIn password breach: How to tell if you're affected

Summary: Bad news: LinkedIn suffered a data breach of 6.46 million passwords. The good news is you can quickly (and securely) check to see if your password leaked online.

SHARE:
TOPICS: Browser
19

LinkedIn customers are still reeling after the news broke that hackers had accessed a vast cache of passwords to the "professional social network".

More than 6.46 million people are thought to be affected or around 5 percent of the site's 150 million users. LinkedIn eventually confirmed a breach and said affected users would have their accounts locked, and an email would be sent out asking for a password change.

Users are advised to change their LinkedIn password immediately.

In cases like this, it's often tricky to know whether your account details have been leaked without downloading the dump file and trawling through it. Thankfully, "there's an (web) app for that."

Developers Chris Shiflett, Sean Coates, and Bedrich Rios developed in only a few hours a way to check to see whether your LinkedIn password had been leaked. After the discovery, he took the dump of passwords --- since removed from its original location, though still widely available on the Web --- and created LeakedIn.org.

Simply type in your LinkedIn password and it will tell you whether you're in the unlucky 5 percent.

I know what you're thinking: "Type in my potentially already leaked password into a random site? You have to be kidding." The site uses JavaScript to hash your password, and because it uses only client-side code, your password never actually leaves your computer.

Of course, this is merely a way of seeing whether your password was breached. Other services are popping up around the web. Another from LastPass also works effectively, and many may feel more comfortable using a tool from a company they already own products from.

These password checkers in reality give you two options:

Firstly, it sends back a clear message on whether you need to change your LinkedIn account password --- which you are advised to do anyway. It's safe to at least assume the hackers have your corresponding email address as well, though this has yet to be confirmed by the company.

Secondly, if you happen to use that password on another service, a nod to change that service's password too. It's never a wise idea to use the same password twice in case one account is breached --- despite most people doing so --- so stop reading this and go and change your password.

Image credit: LeakedIn.org/ZDNet.

Related:

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • Sending even a hashed password over the net is a risk

    Although I applaud the developers', Chris, Sean, & Bedrich's, efforts in developing LeakedIn.org, even sending your hashed password across the net in cleartext involves a certain level of risk. If someone intercepts that message, they now have your hashed password, even if it wasn't on the original list. They need to encrypt the password before sending it to their server using a public key and then decrypt it using a private key on the server to provide reasonable security.
    intel_chris
    • Re: Sending even a hashed password over the net is a risk

      @ intel_chris - The risk of someone intercepting your data in transit is pretty low. The most risky place to lose data is when you're on a public wi-fi connection and you're not on a VPN, but even those places aren't full of malicious lurkers trying to steal your data. Still, you do have a point. But I'll add that it's only a risk if you use that password on other sites and if you haven't already changed your LinkedIn password. If you don't use that password on other sites and if you've already changed your password on LinkedIn then it doesn't matter if someone grabs the hash.

      @ everyone else - some other sites are reporting that the 6.5 million passwords that were posted seem to be the ones that were more difficult to break. One article reported that common passwords are missing and that there are no duplicates (I haven't verified that by checking the file myself). If that is the case then it's not safe to assume that your password is safe just because it's not in the dump. It could have just been easy to crack. So, like ZDNet said, change your password! You have nothing to lose by doing it, but potentially a lot to lose if you don't.
      rascellian
  • Only OS X users would be foolish enough to fall for this

    I noticed you used an OS X screen shot and it is hardly surprising because OS X users are the most naive when it comes to computer security. [i]Oh look, a "weird" (DeRSSS) website asking me for my password. Why let me just enter it, there is no way this could ever be a scam.[/i]

    Encouraging people, especially OS X users, to enter their passwords on a strange website is the height of foolishness. You have [b]no[/b] idea if that website is doing only what it says it is doing. All this talk of your password being "stolen" in transit is a red herring. The real danger is that the average dumb OS X user has no way of telling that leakedin.org is "safe" and leakedpassword.com is "unsafe".

    But as I wrote on David M's blog, OS X users have this fanatical belief that they are safe from everything on the Internet. Apple told them so.
    toddbottom3
  • OK fine but does this really prove anything?

    Say my password is passw0rd... all I did was type that in and the site looked through a list of 6.5 million users and somewhere in there one of those users had the same password? That wouldn't be shocking... Does this prove anything?

    It only proves that if in fact those passwords were leaked, they now have a good dictionary to crack against... but since there's no proof that they also have my corresponding e-mail address, it's meaningless until then?

    I assume LinkedIn has a certain measure of security in that would prevent a massive dictionary being ran against my account until they've gone through all of those 6.5 million users' passwords (or the 300,000 that they've actually decrypted the one way hash on, presumably by a dictionary -> hash match)... so even if they did do a dictionary attack it would be difficult and time consuming. This doesn't seem to prove too much other than yes, you should have a non-easy-to-guess password to begin with.

    Or is there something I'm missing here?
    danekan
    • 2 problems with this

      [i]Or is there something I'm missing here?[/i]

      First there is the immediate danger which is that the website operator now knows your linked in password and your IP. If your password was not compromised, it soon could be.

      Second there is the general danger of encouraging people to enter their passwords on websites that are going to "check" that password for "goodness". Even if we ignore the immediate danger above because we are savvy enough to know that there is no danger, more naive users will be less cautious when it comes to entering their passwords on other sites that aren't associated with the account that password is for. They can't make the informed decision that leakedin.org is safe but leakedpassword.com isn't. You are encouraging a dangerous habit in a group of people (OS X users) that already have some of the most dangerous habits on the Internet.

      Not good.
      toddbottom3
      • ..and?

        Whether you think the web site author is good-hearted or not IMO is not relevant (but I'd be more willing to give ZDNet the benefit of the doubt for publishing it); the question is what value is that to the hackers with regards to knowing the password for LinkedIn itself. Without any associated user names, and then having to somehow match up the random list of 300,000 decrypted passwords against 165 million users, I don't see a lot of utility here. There's a great chance that those 300,000 passwords were already in a dictionary somewhere anyway--they were the weakest link for a reason.

        Who cares if they have my IP. I don't run the web site on my IP, which also is egress shared by thousands of others as it is. They aren't going to be able to figure out my user name from my IP very easily, nor would most care to take the time to when there are so many other items that are easy to obtain from others.
        danekan
    • About that preventing dictionary attacks part.......

      "I assume LinkedIn has a certain measure of security in that would prevent a massive dictionary being ran against my account until they've gone through all of those 6.5 million users' passwords...."

      That's what you assumed, and that's what I assumed, and we both assumed wrong. Turns out that LinkedIn couldn't be arsed to salt their passwords, and are now vulnerable to precomputed hashes. You can find rainbow tables for all SHA-1 hashes under 7 characters long quite easily over at http://www.freerainbowtables.com/en/tables2/.

      Sophos claims that over half the passwords have already been compromised with these types of attacks, and quite frankly, I'm not surprised. Rainbow table attacks are brutally fast since everything's been precomputed.

      http://nakedsecurity.sophos.com/2012/06/06/linkedin-confirms-hack-over-60-of-stolen-passwords-already-cracked/

      But of course, without corresponding login information, these passwords are fairly useless. I haven't seen anything confirming or denying the presence of login info yet :\
      chipbuster
      • so they lock your account out after x failed attempts, or present CAPTCHA?

        You're saying we assumed wrong that they prevent dictionary attacks on your LinkedIn account, but if that assumption is wrong: what do they do to prevent it? do they have a time limit of failed logon attempts? I haven't tried just curious what would happen if you tried to log in to my linkedin account with 300,000 different passwords... you're saying it would just sit there and let a hacker script that? (or is there an API that's easier to check the credentials against?)
        danekan
      • Once you have the hashes, it doesn't matter.

        Just to clarify a little: the rainbow tables attack I'm talking about doesn't involve trying logins on the site. It involves comparing precomputed values against the ones in the hash file. It's a little like walking up to a club and trying random names to get in. If you get it wrong four or five times, the guy won't let you in, but if you steal the list, there's really nothing that can be done.

        Now, the hash files aren't quite like a guest list, because they're hashed, but once it's out in the open, it's only a matter of time before the passwords are cracked. Now, with proper precautions, that time can be something like 5-6 years, which is plenty of time to get the warnings out, but it looks like LinkedIn didn't do that, and over half the stolen passes have been cracked already.

        Now, if they know which usernames were linked to which hash, they already have the login information they need. If they didn't things get a lot murkier--I'd hope that LinkedIn would make you wait 30 minutes after 10 failed logins or whatever, but I also would have hoped that they salted their hashes....
        chipbuster
      • @chipbuster... that's the thing--no user names are associated to the passwo

        it's my understanding that it's leaked passwords... the various news stories on this aren't very clear on that point, it's not that they have YOUR exact password, it's that they have a hash list of 6.5 million different passwords.

        So they don't have that your user name is john.doe@gmail.com and password is Hollywood1 .. they just have a list that includes California3 Mysterious9 Hollywood1 Bolingbrook etc etc..6.5 million different passwords, half of which the hashes have already been matched (and the others are continuing... there's an interesting article 'how charles dickens helped crack your LinkedIn password' out there--adding to the dictionary hash by going through his literature).

        There are rumors that they also have a list of e-mail addresses but I don't think LinkedIn confirmed that, and it was not cached in a manner that the two lists were associated even so from the vague details given, so it too is just merely a list (a list that even if they didn't have, would be somewhat easy to get by the nature of LI).

        So to have any value, even with the 3 million passwords they would have to cycle through each of those on each account to actually figure out that it's your exact password.
        danekan
    • Re: OK fine but does this really prove anything?

      Or should you? Consider that if they're using a look up table and you have an obscure password that only "you" have then when they crack your pw, they know who you are. But if you use a simple password that millions of other users use, then just because they cracked "your" password it doesn't mean they will be able to find "you". If they just look for the first match it could be any one of the millions or thousands who have the same simple password.
      outtanames999
  • What would anyone do with Linkedin.org passwords anyway? Get Bored?

    I don't see the value of it unless they are just making a game out of it.

    Having Alureon.DX with your browsers set up with proxies in Russia is noteworthy. However, it doesn't get much press here at ZDNet, like trying to find a TDL-4 article by self proclaimed "security expert" Ed Bott.
    Joe.Smetona
    • related accounts

      if they managed to somehow figure out your user name that was associated w/ the same password, they could then get into say your gmail account if you're one of the 70% people who use the same password for just about everything... with 6.5 million there are plenty of low hanging fruit in that group
      danekan
  • Could be just a way to get more traffic

    This could be a legitimate breach...or not. After all, what could be better for LinkedIn's traffic than to scare all of its users into going back to the site to change their password?
    outtanames999
  • Where did the data reside?

    The other consideration is where did the data reside in LinkedIn's systems? Or was it found in discarded hardware - hard drives from its data centers that weren't properly disposed of, or hacked instances of Hadoop or other Big Data tables that might be on systems that aren't all that secure because they're relatively young as far as applications go.
    outtanames999
  • Are you sure it works?

    I typed in a bunch of different things. phrases, names, etc. Everything I put in said that it was hacked. So maybe it's just an "if input <> NULL then print "You've been hacked!" type thing. Only thing I typed that came back saying no was when I left it blank.
    mmeade@...
    • Worked for Me

      I tried about two dozen different possibilities.
      tinaturner failed
      householditem passed
      *
      About half of my suggestions made it (the ones I thought would, in fact)
      And about half didn't (and shouldn't have).
      mijcar
  • What? Give your password to someone else?

    I seem to have read on a couple of other Technical sites not to enter your password at sites such as LeakedIn.org.. It appears that intentions are good, but what about the next breach. Can we trust someone who puts up a site? How do you verify it is legit. Why go to the extra work? Is this not an extra step.

    First thing I did when I heard about Linkedin's breach was to log into my account there and immediately change my password! That took only a couple of steps and I was on a site I had bookmarked.

    I just do not get this article and its recommendations. It appears to go against every good practice.

    And before everyone does the @username, do not waste the time. I will not be back in this thread. Reading comments in cnet's forums that have that are laughable.
    hortnut
  • inside job . . .

    i surmise it was an inside job . . . perhaps a disgruntled employee (or blackmail) . . . i also stipulate it could happen again within the same corp.
    pnamajck