LinkedIn confirmed the leak on June 6 2012. At first it said, “we’re still unable to confirm that any security breach has occurred,” but nevertheless provided advice on how to change your password, how to create a strong password, and how to behave securely. Later it confirmed that “some of the passwords that were compromised correspond to LinkedIn accounts.” Interestingly, it added, “affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.”
LinkedIn must hope that this isn’t too little, too late. Simon Halbertstam, IT partner at law firm Kingsley Napley, has pointed out that despite its terms and conditions relying on California Law, the company may be liable to the UK Data Protection Act for UK users. “If any UK individuals feel they have suffered as a result of this hacking,” he says, “they should consider taking legal advice or making a direct complaint to the UK Information Commissioner who can take action against non-compliant organizations, including hefty fines of up to £500,000.”
Meanwhile, security researcher and password expert Robin Wood (digininja on the internet) has been monitoring the leak. “The passwords are unsalted SHA1 hashes,” he told Infosecurity, confirming that the hack must have happened some time ago (possibly up to six months ago) before LinkedIn started salting. “That means that they are much easier to crack than they should be.” Notice that LinkedIn has now introduced salting, a process of adding random bits to the password hash that, if done correctly, can effectively eliminate brute force dictionary attacks. “If salts are used, then brute forcing becomes much harder,” added Wood.
As it is, the hackers have crowd-sourced the cracking process by publishing the passwords on the internet. And that is continuing apace (one site used by the crackers attracted so many participants that it fell over in a self-inflicted DDoS).
“One cracking group,” said Wood, “is claiming to have cracked 1,260,444 out of the 3,521,180 so far cracked in just 30 seconds.” But, he adds, slightly more reassuringly for the those who use strong passwords, “I doubt the whole lot will ever be cracked. The process always starts off fast as the short and weak (dictionary word) passwords fall quickly, but then slows down as the remaining pool of hashes start to contain just the long random strings that are created by password managers.” However, Wood also points to a tweet ten hours before this report was written: “So far 3,427,202 pwds have cracked from LinkedIn List Almost 50% - The longest? a 29 letter sentence from Bible.” “I'd guess a lot more have been cracked by now,” he adds.
Wood suspects that the full list of cracked passwords will become a widely-used wordlist for future attacks against other sites – just like the RockYou leak. Users have two primary password weaknesses. Firstly we chose weak, easily remembered and easily cracked passwords – especially if they are stored as unsalted hashes.
Secondly, we use the same password for multiple different accounts. “Unfortunately, explains David Emm, senior security researcher at Kaspersky Lab, “many people use the same password for multiple online accounts. This practice brings with it the risk that a compromise of one account puts all accounts at risk.”
Steve Watts, a security expert at SecurEnvoy, takes it further. “For b2b,” he says, “it’s worth the investment to use two factor authentication which relies on more than just passwords, using something you have with something you know; but for b2c and c2c it’s a worrying time – most people use the same credentials from one site to another – so how long before your Amazon account and BT online etc are compromised by replaying the same passwords?”
The lesson we must learn from this latest breach is therefore threefold: if you have a LinkedIn account, change your password. But then change the password to a unique password for every other account that uses the same one. If you don’t, sooner or later someone will pay you a visit; either a hacker using the LinkedIn wordlist against your email address, or the original hackers who will now have both your address and your password.
Finally, the time has surely come where we must abandon ease in favor of a password manager that will generate and store unique, strong, random passwords for each account we use.