If you haven’t changed your LinkedIn password yet, it’s time to do so. And for all of you who like to use the same password across all of the sites that you visit, you have a lot of password changing ahead of you.
This week, a hacker in a Russian forum claimed to have hacked LinkedIn and to have obtained the password hashes for 6.5-million accounts. The hashes were posted online on a variety of sites, but have been released without corresponding usernames. Of course, while the usernames have not been released, only the hacker will be aware of which accounts these passwords correspond to. However, many users have hashed their passwords and then searched to check whether or not the file contains the relevant hash, and it certainly seems that the hack is genuine. LinkedIn has also confirmed the breach. So, other than changing your password, what implications does this compromise have?
Password hashes in themselves don’t go so far as revealing an actual password. Usually, most websites today will not actually store your password, they’ll store a hash of it. This is actually an encrypted version of the password that uses an algorithm against the password that you provide in order to turn it into a specific hash. LinkedIn uses the SHA-1 algorithm in order to create its hashes. Usually, the SHA-1 will accept a salt to make the password hash more secure by providing 2-way encryption.
In general, that’s good security practice. One of the disturbing facts about this leak is that the hashes have been stored unsalted. That means that you can easily brute-force attach the hash file. In fact, using a bit of guess-work, it is clear that hashes in the file exist for passwords like: ‘linkedin’, ‘LinkedIn’, ‘L1nked1n’, ‘l1nked1n’, ‘L1nk3d1n’, ‘l1nk3d1n’ and so on. So, the first point to make here is that LinkedIn has not followed the best possible security practice in terms of how it stores passwords. Considering how much private data is stored at LinkedIn, this is deeply upsetting.
Since LinkedIn requires a valid email address in order to login, it is more than likely that email address and password hash combinations have actually been obtained together. Even if the password hashes aren’t decoded, a hacker has just obtained 6.5-million valid email addresses to sell onto any spam network of their choosing. That’s pretty infuriating but to be fair, there is not much that LinkedIn could have done to prevent this. The wider implication though is that many people reuse passwords across sites. Since most sites today will validate an account using an email address, it seems likely that this hack will result in compromises across many other online applications.
Beyond the actual implications of a file circulating on the net containing millions of encrypted passwords, there are other concerns. At this point, LinkedIn is still investigating how this happened. More than likely the compromise took place through the web frontend of the site, but no one knows when this happened, how it happened, or whether there are still backdoors into the infrastructure. That means that we could see a repeated occurence, or that password changes in themselves could have been monitored. Until LinkedIn can step forward and explain what has happened and what steps they have taken to ensure that their site is actually safe to use, your account may not be safe.
Furthermore, other similar services could appear on the net with the explicit purpose of harvesting plain-text passwords. Sites like this are also capable of keeping further information about you, such as the IP address that you visited from, the hash that you actually submitted and the referrer that sent you there. In many ways, this puts you in a worse off position.
To begin with, the site itself is able to build its own library of hashes, including hashes of passwords that are not already compromised. On top of this, the hash itself gets transmitted in plain text over the wire as an HTTP GET request, clear for anybody to see. Finally, that password hash sits in your browser history, just so that anybody who has access to your computer can pick it up and try to run a brute force attack on it. I personally wouldn’t touch a service like this with a barge-pole.
In related news, all you iPhone users taking advantage of the LinkedIn App, it seems that the iOS application shares your calendar entries with the LinkedIn servers. That in and of itself may not be such exciting news, but it seems that everything about a meeting scheduled in your calendar (including members, subject, location, notes, etc.) are all shared as well. If that doesn’t bother you, the fact that this all happens unencrypted across the internet should have the hairs on the back of your neck standing on end.
I predicted that Social Networking and Cloud Computing would bring on a spate of attacks this year as increasing amounts of sensitive user data slowly made its way online. What I didn’t realise was how poor the security at a company as reputable as LinkedIn actually is. What really upsets me about all of this is that social networks are not generally considered very accountable for leaks like this. If we discovered that the government had leaked such personal data about us, or that our bank had been hacked, we would expect that a full independent inquiry would take place.
Certainly for affected individuals we would expect some form of recompense. When a site like LinkedIn is raking in US$188.5-million per quarter using our personal data for its own gain… well, it seems that we have been duped and a light slap on the wrist is considered sufficient justice for such gross negligence.