View Forum Topic

Forums
CS520
LinkedIn (and probably eHarmony) Hacked

Author	Message
cysun Posts: 2935	Posted 14:09 Jun 06, 2012 \| Since many of our students use LinkedIn, and we just talked about one-way hashing and password encryption in class, this story may be of some interests: http://arstechnica.com/security/2012/06/8-million-leaked-passwords-connected-to-linkedin/ Personally I wouldn't rush to LinkedIn to change my password because a) I don't have any sensitive information on LinkedIn, and b) LinkedIn hasn't confirmed that they had found and fixed the security breach, which means that the hackers may still have access to their data. If you use the same password on other sites, I do recommend that you change those passwords immediately.
malamma Posts: 25	Posted 14:53 Jun 06, 2012 \| The passwords were actually hashed but not salted which means that over 300 thousand of them have already been reversed successfully. The file of the passwords is still floating around the net but I checked the hash list and my previous password wasn't in it, so it's only a partial list.
cysun Posts: 2935	Posted 14:58 Jun 06, 2012 \| malamma wrote: The passwords were actually hashed but not salted which means that over 300 thousand of them have already been reversed successfully. The file of the passwords is still floating around the net but I checked the hash list and my previous password wasn't in it, so it's only a partial list. The list is probably partial, but the assumption is that the hackers have all the passwords (in security we always assume the worst) but only posted the ones they needed help with. Last edited by cysun at 14:58 Jun 06, 2012.
DavidGilbert Posts: 40	Posted 23:06 Jun 06, 2012 \| Any idea how it was obtained? To me that's the more interesting issue, as it's been shown that something like 14 hashed passwords can be cracked in 45mins for $7 on the EC2. I wonder what he's using to crack the passwords though, he must have a botnet at his disposal, which is kind of intriguing too. Also, other than possible reuse of passwords, I wonder what they hoped to gain by stealing from linkedin. Are there paid features? I don't use the site (in fact I don't social network at all). I could understand eHarmony users are probably more likely to reuse a password, giving them the ability to log into their facebook account, gather social engineering data to break into their email and reset all bank passwords or something. Or maybe it was just a "lets embarrass the professional community network" attack. Who knows, internet is so weird, gotta get back to farming my diablo gear.