A password list with roughly 6.5 million hashes that are apparently associated with user accounts of professional social network LinkedIn has shown up earlier today on cracking forums in Russia. Today’s leak demonstrates once again that any data breach may have unpredictable effects on both users and the services they have signed up for.
Fortunately for the compromised accounts, the 118-megabyte archive leaked today only holds 6,458,020 records of SHA-1 encoded passwords, with no reference to the corresponding usernames or their e-mail addresses. However, we presume that whoever leaked the password hashes also has names and e-mail addresses and successful brute-forcing of these hashes may reflect in further breaches.
Today’s incident is definitely not the result of keylogging or phishing, as both of these activities would result in the collection of the plain-text, unhashed password. Since the list references hashes, it would be fair to assume that it somehow was copied from the service’s database.
Although SHA-1 provides a sound level of encryption and readily-available, pre-computed “rainbow” tables for the algorithm are not as widespread as those for the MD5 algo, the fact that these hashes are not “salted” (thre are no random bits added to the hash) makes it easier for the attacker.
What’s at stake?
LinkedIn is one of the few social networks that “mix business with pleasure”. It serves both as a means of getting in touch with friends, former colleagues or family, and as a source of new career opportunities. LinkedIn accounts abound with work-related information, list past education and expose business data of the persons in the same network.
Successful authentication into the victim’s account would expose enough information about them to sustain a serious spear phishing campaign. It would also allow attackers to launch fake business proposals from compromised accounts of known HR or recruiting specialists some users might have in their circle of friends. The exploitation possibilities are so rich that the extent of the damage can hardly be assessed.
Rapid inspection revealed that the list contains a significant number of hashes of known weak passwords that can be cracked in seconds by comparing them against a pre-computed database of passwords. These are the exact circumstances where choosing a “unique enough” password would keep the account safe even if the “unsalted” hash has been exposed.
As of the moment of writing, LinkedIn has already flagged the exposed accounts as compromised and instructed their owners to change their passwords immediately. We strongly advise users not only to choose a password that is difficult to guess or crack, but also to associate one password to one account only, so, in the event of a breach, other accounts created with the same e-mail address or username won’t fall victim to unauthorized access.
For more technical users, we recommend that they create hashes of their passwords with the most common hashing algorithms (MD5, SHA1, SHA2) and set a Google alert on these hashes. Although this approach is ineffective against passwords leaked in non-indexable file formats (such as archives), it prompts the user when / if their hashed password gets leaked in forums or so-called “pasties” and may give victims enough time to change it to something else.