Yesterday, SecurityWeek published an early report on a story from Dangens IT that a hashed password list containing some 6.5 million records may have been leaked from LinkedIn. Throughout the morning, several people examining the list of password hashes reported discovering their own credentials in the stolen list. By the afternoon, LinkedIn confirmed the security incident, and dating site eHarmony added to the news cycle by reporting that they too were breached.
Commenting on the incident earlier in the morning Troy Gill, a security analyst for AppRiver said, “While technically no accounts have been hacked yet, I am sure they could be very quickly...”
“The good news is that the passwords are encrypted using SHA-1 with means the hacker will still have to exert some effort to crack them but strong and complex passwords will take a much greater amount of time and resources than a simple password. Therefore those with a complex and lengthy password will be much safer than those without.”
As it turns out, the unsalted SHA-1 password hashes were trivial to crack using basic tools. LinkedIn has started taking heat for their lack of additional protection to the hashes themselves, as adding additional strength to a password hash, a process known as salting, is just a basic layer of protection for database security.
After admitting that there was a password leak form their site, LinkedIn did report that they are adding salt to the new hashing process.
“It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases,” LinkedIn noted in a statement.
By now, most of the 6.5 million passwords taken from LinkedIn and leaked to a Russian forum have been cracked, so if you haven’t yet – go change your password.
In addition to LinkedIn, dating site eHarmony examined the list of leaked passwords and confirmed speculation that they were breached as well.
“After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected... We deeply regret any inconvenience this causes any of our users,” they said in a statement.
Based on the list, eHarmony also failed to take the additional step of salting their hashes, and their attempt to highlight security failed, as measures such as SSL do little to stop someone with the necessary authentication from accessing the site. It remains unclear how the passwords were accessed in the first place. Neither LinkedIn or eHarmony has mentioned discovering a vulnerability or patching one, so it is possible that the criminals who obtained the first list could obtain another list in the future.
We’ll follow the story and report any new developments.
Related Reading: Busting Myths: Why SSL ≠ Application Security