6.5 million password hashes suggest a possible breach at LinkedIn
LinkedIn is believed to have suffered a password hash breach (updated: LinkedIn has confirmed the breach), thanks to a forum post that quickly caught the attention of security researchers on Twitter and other social outlets. The posted archive contained a 270+ MB text file of SHA-1 hashes, and forum discussions suggested that it was related to the popular business-centric social site.
At the moment, little is known and speculation is running wild. LinkedIn has not finished investigating whether they have been breached, however many security pros are confirming for the media that the SHA-1 hashes of their passwords are found in the file. The file is constructed in a hash-per-line fashion, with no evident plaintext that suggests it is anything other than passwords (such as usernames, etc.). However, it’s possible that anyone gaining the original access to hashes had or has access to additional details.
I obtained a copy of the hash list, produced a SHA-1 hash of my old LinkedIn password, and did indeed find it in the list. I have also spot-checked several other hashes posted by security pros on Twitter, and have found them as well. Given the nature of my own password (16 random characters comprised of A-Z, a-z, and 0-9) the likelihood that my SHA-1 hash of my password (that was unique to LinkedIn) would be present in a file that did NOT come (at least in part) from a source that had access to hashes of LinkedIn passwords is statistically impossible.
That said, it does not confirm that LinkedIn itself was breached, that the hash file contains only password hashes from LinkedIn, or that attackers do not have access to information beyond passwords. My inquiry didn’t result in learning the password of anyone else, or revealing my own. The one-way nature of hashing and the belief that trustworthy security professionals asserted that their (presumably strong, unique) passwords’ hashes were present points with reasonable certainty that we were looking at hashes of LinkedIn passwords. But with time (hours, days, or months — even years for stronger passwords) those hashes could have their passwords revealed. With hashes disclosed, and signs pointing to LinkedIn, the correct response is to change your password at that site and do a risk assessment.
In the meantime, here are some general tips for continued safety:
- LinkedIn users should change their passwords to a strong value. The best options are random, long strings (>12 characters) managed by a secure password manager.
- Unique passwords per site continue to be the best practice. If you share passwords between LinkedIn and any other site, change those passwords on other sites as well (again, to something strong / unique).
- LinkedIn has not confirmed or denied a breach (updated: LinkedIn has confirmed the breach). Some are suggesting that changing your password now will be ineffective because if a breach occurred and has not been contained, passwords could again be exposed. Since we’ll never know, the best option is to change your password to something strong and unique; in the event you become worried of a subsequent breach, change it again.
- Users should exercise increased caution for a time regarding LinkedIn. Commonly breaches will result in highly-targeted malware based upon information gleaned during an exposure. If LinkedIn has suffered a breach, it may be possible for attackers to leverage the details stored on LinkedIn to entice you to fall victim to a scam or malware installation. Since password hashes have been exposed, such scams may even originate via compromised LinkedIn accounts.
- In the event that you’ve linked your social media sites (say, by allowing Twitter to receive posts from LinkedIn) consider your impact related to which sites are linked as well.
Some things users should NOT do
- Users should NOT input their passwords into sites on the Internet offering to compute hashes or check for exposure. Determining if your password hash was exposed is interesting, but giving your password away to strangers is never a good idea.
- Users should NOT rely on common patterns in an effort to improve password security. For example, recent research has suggested that sets like possible day / month combinations (4 digits starting with “19″ or “20″, or combinations which can be interpreted as day/month values like 0501) are particularly weak