Published on 7th June 2012 by Brett M. Christensen
A Russian forum user claims he has hacked LinkedIn, uploading 6,458,020 encrypted passwords (without usernames) as proof.Security expert Graham Cluley of Sophos has also warned about the incident, noting:
The passwords are encrypted with the SHA-1 cryptographic hash function, used in SSL and TLS and generally considered to be relatively secure, but not foolproof. Unfortunately, it also seems that passwords are stored as unsalted hashes, which it makes it much easier to decipher them using pre-computed rainbow tables.
A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the internet, and hackers are working together to crack them.LinkedIn has confirmed the reports, via its blog:
LinkedInAlthough the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals.
Investigations by Sophos researchers have confirmed that the file does contain, at least in part, LinkedIn passwords.
We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts.Given that many people tend to use the same passwords across multiple services, the potential security implications may not stop at LinkedIn.