For those who haven't been paying attention to the news, there has been a large number of passwords stolen from LinkedIn.

http://www.bbc.com/news/technology-18338956



The news reports state that it's about 6.5 million passwords stolen, but it appears that is actually an underestimation. Instead there has been 6.5 million unique passwords stolen. So for the thousands of users who use "password" as their password, there is only one entry in the list.

It appears that LinkedIn didn't use best practices in the way they encrypted the passwords, so a large number of the passwords have been already been decrypted. So you probably want to change your password very soon, and if you shared this password with other accounts, you definitely need to change all of them right now.




If you want to check to see if your password is there, you can download the list from one of these links: http://mirrorstack.com/yn97bpowh6fj


You will need to generate the hash of your password. You can do this here. (But don't do this until after you have changed your password).
http://hash.online-convert.com/sha1-generator



And when searching through the list to see if your hash is there it appears the hacker who created the list changed the first 5 characters to zero, if they have already cracked that password. So you probably want to search for your hash and if that isn't found, then change the first 5 characters to 0 and then search again.

And in case anyone was wondering, my password was in the list, but it wasn't one of those that was yet decrypted.

Generate long, complex passwords with keepass paid off. :)

Thanks for the link. Will need to check tonight if my account is on the list. Also, maybe move this to OT instead of careers?

And in case anyone was wondering, my password was in the list, but it wasn't one of those that was yet decrypted.

Generate long, complex passwords with keepass paid off. :)

How do you know this? Were you given a notification by Linkedin?

Just make sure the new password is not the same as any other password because there might be another breach. :)

I'm curious why LinkedIn hasn't already issued a notice to all their users to change their password. I mean, if they don't know how they got hacked, they need to figure that out, but it should be them, and not the news reporting this to their users. So much fail :)

How do you know this? Were you given a notification by Linkedin?
No, after changing my password, I downloaded the list of hashed password.

I then generated a hash for my old password and checked to see if it was in the list. It was.


And neither the old or new password were used anywhere else.

Good thing I don't have a LinkedIn account...whew!

No, after changing my password, I downloaded the list of hashed password.

I then generated a hash for my old password and checked to see if it was in the list. It was.


And neither the old or new password were used anywhere else.

Cool. You must be one of the people who uses varying passwords across forums/email addresses. I try to keep them consistent but the good thing is, the email address associated with my Linkedin had previously been hacked and I have a special password for that now.

Thanks for the heads up FunSave as I was about to post about it too.

Good thing I don't have a LinkedIn account...whew!

I only needed it for a job interview last year. Helps make my resume look more credible/verifiable. LOL.

You must be one of the people who uses varying passwords across forums/email addresses.
I use a free tool called KeePass (http://keepass.info/).


It generates a long, random password for each of your sites. And then stores these passwords in an encrypted database. The only thing you need to remember is the password to get into KeePass.

And your password to get into KeePass should be a long, strong password. Not something easily cracked.

I use a free tool called KeePass (http://keepass.info/).


It generates a long, random password for each of your sites. And then stores these passwords in an encrypted database. The only thing you need to remember is the password to get into KeePass.

And your password to get into KeePass should be a long, strong password. Not something easily cracked.

then what's to stop keepass database from getting hacked and all your passwords leaked?

Linkedin? What is that?

So they got passwords, but not the information to tie a specific password to an account...?

then what's to stop keepass database from getting hacked and all your passwords leaked?
It's a trade off.


I'm willing to bet having an encrypted database protected by a strong password is better than:


Using the same password at all sites since I am not able (or can't be bothered) to remember so many passwords.
Using different, but similar, passwords at different sites, since I am not able (or can't be bothered) to remember so many strong passwords.

So they got passwords, but not the information to tie a specific password to an account...?
It's assumed they also have the email address associated with each password, but have chosen not to publish the email address at this time.


Once they have enough passwords cracked they'll probably sell them, or hack into peoples accounts, or see if they shared their password with their email accounts or do whatever they plan to do with the info.

then what's to stop keepass database from getting hacked and all your passwords leaked?

Exactly, that's even worse.

BTW, Keepass sound familiar, I believe they have a massive security issue not long ago?

BTW, Keepass sound familiar, I believe they have a massive security issue not long ago?
The would be Lastpass. They keep your passwords stored online. And there was no passwords stolen.


With Keypass you keep your database with you. I have a copy on my dekstop machine and on an USB key.


And the database is encrypted with AES and I have a strong password. I'm not too worried.

Someone has put up a website where you can check if your password is among those leaked.

Obviously, do not enter your password if you are still using it on any site. Or if it is similar to any other passwords you use.


http://leakedin.org/

is it by any chance linked to gmail's password?

is it by any chance linked to gmail's password?
No.

LinkedIn and Google are separate companies. They don't share passwords.


However, if you had an account with both there would be nothing stopping you from using the same password with both accounts. If this is true, then you have a problem and need to change both of your passwords as soon possible.

At the very least people should have several tiers of passwords. I have one password I use for most sites I dont care much about, a different one for my e-mail accounts and one I use exclusively for financial sites (aka my bank)

I hope whoever hacked my account can at least update my resume to something that'll get me a new job.

And when searching through the list to see if your hash is there it appears the hacker who created the list changed the first 5 characters to zero, if they have already cracked that password. So you probably want to search for your hash and if that isn't found, then change the first 5 characters to 0 and then search again.

I searched that last few digits of the hash code of my password and it wasn't found in the list.

I searched that last few digits of the hash code of my password and it wasn't found in the list.
Then it would seen that your password wasn't hacked. (Or at least it wasn't in the file that the hackers released. There's no guarantee the hackers have released all of the hashes they took).

I'd still change your LinkedIn password, if you already haven't.

I hope whoever hacked my account can at least update my resume to something that'll get me a new job.


Ha ha. Winning.

wow what are they using for their website? Joomla? PHP-Nuke? :confused:

Someone has put up a website where you can check if your password is among those leaked.

Obviously, do not enter your password if you are still using it on any site. Or if it is similar to any other passwords you use.


http://leakedin.org/


Created On:06-Jun-2012 15:54:30 UTC
Last Updated On:06-Jun-2012 16:00:39 UTC
Expiration Date:06-Jun-2013 15:54:30 UTC

Looks like this person is banking on trying to get as many hits off of this as possible. Useful site. Just searched for "password" and that was leaked lol.

Just searched for "password" and that was leaked lol.
Gizmodo has a list of some of the more interesting passwords that were leaked.

I'm not going to link to it as some of them are inappropriate. :)

Gizmodo has a list of some of the more interesting passwords that were leaked.

I'm not going to link to it as some of them are inappropriate. :)

haha just searched for them and yea some of them are interesting lol.

Phew, not leaked.

Yes, saw that on the news. Leaked or not, I changed my password immediately. The free download list took forever to load so I just went ahead and changed my PW without waiting. i don't have much information on LinkedIn but people could use my account to post fault information or make connections for scams. When it comes to something like this, better save than sorry!

not leaked but changed it to something very stupid that wasnt used before.

will never use a variant or something even close to important for linkedln.

Can't see to find my hash. I even added 5 zeros in front to see if it's been hacked, it's just not the on list. Don't know if it's a good thing or not :S

I changed pw anyways though.

Thanks, changed my password.

Can't see to find my hash. I even added 5 zeros in front to see if it's been hacked, it's just not the on list. Don't know if it's a good thing or not :S

To be clear, you need to change the first first characters of the hash to zero, not add five zeros to the hash, to check to see if the hash has been cracked.

This infuriates me. I use something like four passwords online, all of them of suitable complexity to make their bruteforcing next to impossible. Now, one of them is compromised and I have to change about a half-dozen site passwords to protect myself because my hash was not only compromised but also hacked to reveal the underlying password. That angers me.

Linkedin? What is that?

Its for grown-ups. Don't worry about it.

Just as an aside, it was reported today that last.fm also had 17 million passwords stolen. And roughly 95% of them had their encryption cracked.


The problem is that the theft occurred in 2010 or 2011. So this is a good reason why you shouldn't share passwords between accounts. Because if you do share passwords, hackers may have had your password for a year or two.



http://lifehacker.com/5916642/lastfm-passwords-also-leaked-change-yours-now

To be clear, you need to change the first first characters of the hash to zero, not add five zeros to the hash, to check to see if the hash has been cracked.

What does it mean when the full hash is there but with five zeros in front of it?

What does it mean when the full hash is there but with five zeros in front of it?
The hacker who published the list replaced the first five digits of the hash with zeros if he had already cracked that hash.

He was asking for help in cracking the other hashes, so he was just using the zeros to show which ones he had already cracked and didn't need help with.

Interesting...I've been getting quite a few phishing emails supposed from LinkedIn over the past week....I didn't even know I had an account there ;)

Here's an interesting article about how someone was able to use a simple tool to quickly decrypt 2 million of the 6.5 million passwords. It turns out way too many people are choosing very simple passwords.


http://www.net-security.org/article.php?id=1727

when i logged in to LinkedIn last night, there was (finally) a yellow box at the top talking about new security measures and changing passwords. If I already changed my password when the OP posted this thread, am I safe?

or are they saying that they were hacked AGAIN?