Page 1 of 2
Social networking powerhouse LinkedIn is investigating reports that approximately 6.5 million passwords have been stolen, and that their hashed representations have been posted on the Internet.
While the company has neither confirmed nor denied that the posted hashes are actually user passwords, a number of experts in the security field believe it to be true.
“A lot of people in the security field have been comparing hash values, and a lot of their own passwords are showing up -- including my own,” said Dave Pack, director of LogRhythm Labs, a Boulder, Colo-based security managed service provider. “So that's a pretty good indication that this is a legitimate breach.
A number of industry experts also noted that 6.5 million represents only a small subset of the LinkedIn account base, so the actual scale of the alleged breach is yet to be determined.
“It’s common for attackers to release only a limited set of the data to prove that the hack took place,” said Pack. “So the full scope is unknown at this time and possibly could include the full database.”
Regardless of the extent of the breach, anyone in possession of the list must successfully complete at least another layer of hacking before the actual passwords are revealed.
“The attackers have only released that list of cryptographic hashes,” said Chester Wisniewski, senior security advisor at Boston-based Sophos. “We don't know if they have email addresses or names, or any other information. The passwords by themselves are pretty useless because the passwords can be changed. But, we are wondering if the attacker perhaps has a lot more information, and they just released this list so that the community will crack all the passwords so they don't have to use their own computing power to do so. And, once those passwords start getting published, they can match them back to the hashes.”
Wisniewski added that the hashed passwords were not adequately secured. While it stands to reason that anything that can be stolen was not adequately secured, he explained that these were unsalted SHA-1 hashes.
“SHA-1 is currently considered the best algorithm for doing that kind of thing, but the act of salting makes it a lot harder to crack the passwords. Salting is adding something random to everyone's password before it’s encrypted, so you can't perform dictionary attacks as easily. Because they didn't do that, I'm guessing that most of the passwords in this list are going to be figured out within a day. Had they salted them, it could possibly have taken years.”
The attack could have been executed using any number of means, including a SQL injection.