LinkedIn Leak – 6.5 Million Passwords

When I first saw the tweets come through about the list of 6.5 million LinkedIn hashes I changed my account password right away. Then as many others did I went out on the net to see if I could find this list. I found my way to yandex.ru as most everyone else did and downloaded a file called combo_not.zip This was the supposed leak of LinkedIn passwords.

I noticed something odd as soon as I opened the txt file in the zipped archive, there were no usernames associated with the SHA1 hashes. Odd … Then I read further news articles that reported the usernames were never released. This to me seams way off. What has ever stopped a supposed hacker from full disclosure? If this person wanted recognition (why else would you release the hash list) why spend the time to take out the usernames from the file? This really started to smell bad to me. However I still proceeded to alert the users on my (work) network to change their passwords if they had a LinkedIn account.

So is the list actually hashes from LinkedIn?

This one I can’t determine obviously, I can only speculate. However I am currently conducting a password audit on a 3000+ Active Directory site, and I have an insight into what users do. That is, make stupid passwords. So I took a few quick passwords that I thought would be plausible to see in a list of 6.5 million and created hashes.

 

[root@XXXXXXXX ~]# echo -n password | openssl sha1
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
[root@XXXXXXXX ~]# echo -n password123 | openssl sha1
cbfdac6008f9cab4083784cbd1874f76618d2a97
[root@XXXXXXXX ~]# echo -n peppermint | openssl sha1
379e4d2c8acbe436892c6dfcb071f8da3a226d5f
[root@XXXXXXXX ~]# echo -n abcd1234 | openssl sha1
7ce0359f12857f2a90c7de465f40a95f01cb5da9
[root@XXXXXXXX ~]# echo -n September12 | openssl sha1
8504a83b2465f31082440e519dba8089df85162a
[root@XXXXXXXX ~]# echo -n Password123 | openssl sha1
b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1
[root@XXXXXXXX ~]# echo -n Summer2010 | openssl sha1
aedc8a5f168d56f3cb452b2f1fb797798aed9796

Once I had a handful of hashes (along with my actual LinkedIn password hash) I searched the text file. Not to find a single one. So I tried to go in reverse. I used an online tool to see if I could reverse any of the hashes. Out of a good 60 or so hashes randomly selected I was only able to get one. Now looking at the plain text I don’t think any user (well any user I know) would use this password. If a person was going to be this cryptic with their password don’t you think they would have the sense to make it longer?

be390db50a418496868f2393aa008d3c5a54dedd SHA1 : 2iein!

This was around line 3,374,386

The question now comes up if the file is fake why release such a huge amount of hashes and not just a few hundred thousand? For fame of course .. nah! I have thought of a few reasons that someone may do this.

1. Maybe this is an attempt to have every LinkedIn user to hit the servers all in one day as a type of DDos? HA! I highly doubt it! Stupid idea.

2. Not everyone has a Linux box or even the knowhow to create an SHA1 hash. So they would probably Google a “SHA1 Generator” and then type in their LinkedIn password into the website. If this was the attack the bad guys could ensure that their site was ranking very high in Google before releasing the supposed list. Then the site would store the password and email address from the browser. What you didn’t know your email address is given out by your browser to any site that asks for it? Tisk, tisk you should harden your system. Or even more basically the website could just be storing the passwords for an ultimate crowd sourced dictionary file. Either possibility is kind of far fetched if you ask me and not really worth the effort, especially if the user knows about the list and will ultimately change their password.

3. Another possible reason for releasing a fake list of hashes like this would be to generate media hype, which it has world wide! Why though? I am going out on a limb here and saying that it is to launch a mass phishing attack. Why not? What was one of the first things that I did as a knowledgeable security administrator? I alerted my users through email. An attacker could do the exact same thing but utilizing the media hype.

Think of this. You receive an email from news@cnn.com (right there most people trash it … however) and the user starts reading the email. There are legitimate links to news sites on the net providing real reports on the situation. Then at the bottom “CNN” gives you a link to quickly change your LinkedIn password. You are at risk you know! Then whammo! welcome to phishing central. Not only slick but also very believable.

This type of attack (if my speculation is correct) could be the first of a new wave of phishing attacks. Social Engineering (using the media), mixed with your classic phishing attack, which also is a social engineering attack at it’s base. Now if this isn’t what is happening maybe I just gave some bad guys some ideas …. oops.

LinkedIn has confirmed “that some of the passwords that were compromised correspond to LinkedIn accounts” (Vicente Silveira) – http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/ HA! This doesn’t mean a dam thing! The only thing that it actually suggests is that LinkedIn does not (publicly) dispute that user’s passwords are stored in un-salted SHA1 hashes. Hotmail/FaceBook/Twitter … could all say the exact same thing (and be truthful about it) about their own networks. What surprises me is that the security community at large is jumping to conclusions about the security of LinkedIn, although they could be entirely correct.

LinkedIn has since reset passwords on “compromised accounts”. This is just a safety precaution people! Remember there are still (at this time) no accounts to go with the hashes so maybe they guessed a couple hundred … thousand passwords right. At this point I am still not convinced that the list is legitimate.

Check to see if your LinkedIn Password was in the hash list

I have created a simple PHP page that hashes your password and searches the hash list that I downloaded from yandex.ru  and lets you know if your password was one of the 6.5 million Start [link removed]!

*** UPDATE ***

Now there is www.leakedin.org – Why didn’t I hyperlink it?  Cause I don’t think it would be a smart idea to enter your LinkedIn password into any site that is not LinkedIn

All Work on this site is not to be reproduced without written permision from Nick Schroedl.