June 06, 2012

On June 5th, someone posted a list of 6.5M password hashes to a hacker forum (click to BIGGIFY):

ForumPic

This forum specializes in hash cracking, that is, deciphering passwords that have been hashed (a method that scrambles a user's password).  Imperva’s ADC has analyzed this file.  In addition, one member of the forum was able to crack (i.e., find out the original password) for 100,000 of the hashes.  We have this file as well.

(To see a vivid overview of how password cracking works, see our blog on this topic.)

We believe the size of the breach is much bigger than the 6.5M accounts.  Two data points indicate why:

  • The password list is missing “easy” passwords.  The password files do not contain easy to crack passwords such as “123456” that are traditionally the most common choice of passwords.  This is strange, so why is this happening?  Most likely, the hacker has figured out the easy passwords and needs help with less common ones, so the hacker only published the more complicated ones.  Most likely, many of the passwords haven’t been revealed.
  • Passwords are typically listed only once.  In other words, the list doesn’t reveal how many times a password was used by the consumers.  This means that a single entry in this list can be used by more than one person. For reference, in the RockYou hack the 5,000 most popular passwords, were used by a share of 20% of the users.  We believe that to be the case here as well, another indicator that the breach size exceeds 6.5M.

In addition, by analyzing the files we believe:

  • The passwords weren’t properly protected.  The hashes, in geek speak, were unsalted sha1 hashes.  Not salting is a bad practice that we detailed in last month’s report on the Militarysingles breach.   Salting, in layman’s terms, complicates the process of a hacker cracking a password.  Not only do you encrypt the password, but append it with a random string of characters so even if those passwords are revealed, they look like gobbledygook.
  • LinkedIn was probably breached but the password database doesn’t indicate this specifically.  Many of the passwords contained a high volume of the word, or a variation of the word, “linkedin”.  This indicates that the pool of passwords comes from LinkedIn, though the hacker hasn’t specifically made such a connection.  The password set shows:
    • 13 passwords contained “linkedin”
    • 509 passwords contained “linked”
    • 1134 passwords contained “link”

Therefore we can speculate that the site name is related to “link” as people tend to use the site name in a password.  Recall that in the RockYou breach, the password “rockyou” was the 7th most popular on that site. Since there are no corresponding usernames, we cannot validate if these are really valid LinkedIn.com credentials. However, it’s safe to assume that the hacker was able to get them, but he does not want to give away this data to his fellow crackers.

What can we learn from this incident?
In December 2011, we report an enterprise guide to proper password management.  Read it, we detail how to properly store passwords so that even in the event of a breach, cracking them will be a complicated and unattractive process.

LinkedIn Response
As of a few minutes ago, LinkedIn has officially recommended that users change their passwords:

LinkedIn

 

 


Authors:

Share:
Share on LinkedIn

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.