Cisco Logo


Security

LinkedIn is believed to have suffered a password hash breach (updated: LinkedIn has confirmed the breach), thanks to a forum post that quickly caught the attention of security researchers on Twitter and other social outlets. The posted archive contained a 270+ MB text file of SHA-1 hashes, and forum discussions suggested that it was related to the popular business-centric social site.

At the moment, little is known and speculation is running wild. LinkedIn has not finished investigating whether they have been breached, however many security pros are confirming for the media that the SHA-1 hashes of their passwords are found in the file. The file is constructed in a hash-per-line fashion, with no evident plaintext that suggests it is anything other than passwords (such as usernames, etc.). However, it’s possible that anyone gaining the original access to hashes had or has access to additional details.

I obtained a copy of the hash list, produced a SHA-1 hash of my old LinkedIn password, and did indeed find it in the list. I have also spot-checked several other hashes posted by security pros on Twitter, and have found them as well. Given the nature of my own password (16 random characters comprised of A-Z, a-z, and 0-9) the likelihood that my SHA-1 hash of my password (that was unique to LinkedIn) would be present in a file that did NOT come (at least in part) from a source that had access to hashes of LinkedIn passwords is statistically impossible.

That said, it does not confirm that LinkedIn itself was breached, that the hash file contains only password hashes from LinkedIn, or that attackers do not have access to information beyond passwords. My inquiry didn’t result in learning the password of anyone else, or revealing my own. The one-way nature of hashing and the belief that trustworthy security professionals asserted that their (presumably strong, unique) passwords’ hashes were present points with reasonable certainty that we were looking at hashes of LinkedIn passwords. But with time (hours, days, or months — even years for stronger passwords) those hashes could have their passwords revealed. With hashes disclosed, and signs pointing to LinkedIn, the correct response is to change your password at that site and do a risk assessment.

In the meantime, here are some general tips for continued safety:

Some things users should NOT do

Comments Are Closed

  1. Return to Countries/Regions
  2. Return to Home
  1. All Security
  2. All Security
  3. Return to Home