How LinkedIn got hacked?

Up to 60 per cent of the passwords stolen from the LinkedIn hacking are now publically known, and here's how the hackers are cracking them.

LinkedIn has confirmed that some of the password hashes that were posted online do match users of its service. They have also stated that passwords that are reset will now be stored in salted hashed format.

What is a salt? It is a string that is added to your password before it is cryptographically hashed. What does this accomplish? It means that password lists cannot be pre-computed based on dictionary attacks or similar techniques.

Password hash with salt example

This is an important factor is slowing down people trying to brute force passwords. It buys time and unfortunately the hashes published from LinkedIn did not contain a salt.

After removing duplicate hashes, SophosLabs has determined there are 5.8 million unique password hashes in the dump, or which 3.5 million have already been brute forced. That means over 60% of the stolen hashes are now publicly known.

We also did some additional testing of commonly used passwords that should never be used. We started with the list of passwords that the Conficker worm used to spread through Windows networks.

All but two of the Conficker passwords were used by someone in the 6.5 million user password dump. The two passwords that weren't found were 'mypc123' and 'ihavenopass'.

Other passwords that we found in the dump include 'linkedin', 'linkedinpassword', 'p455w0rd' and 'redsox'. We even found passwords that suggest people should know better like 'sophos', 'mcafee', 'symantec', 'kaspersky', 'microsoft' and 'f-secure'.

We will continue to keep Naked Security readers up to date with what is known as we learn more.

It is critical that LinkedIn investigate this to determine if email addresses and other information was also taken by the thieves which could put the victims at additional risk from this attack.

Special thanks to Beth Jones and Richard Wang from SophosLabs for their hard work and assistance with this post.

Chester Wisniewski is a senior security advisor at Sophos Canada, you can see his profile and his other work here


InvestSMART FORUM: Come and meet the team

We're loading up the van and going on tour from April to June, with events on the NSW central & north coast, the QLD mid-north coast and in Perth, Adelaide, Melbourne, Sydney and Canberra. Come and meet the team and take home simple strategies that you can use to build an investment portfolio to weather any storm. Book your spot here.

Want access to our latest research and new buy ideas?

Start a free 15 day trial and gain access to our research, recommendations and market-beating model portfolios.

Sign up for free

Related Articles