Approximately 6.5 million hashed passwords were leaked online, apparently taken from the social media company LinkedIn. The hash list that I initially took a look at had many (around half) of the hashes starting with the value “00000” – it seems this value replaced the first five chars for passwords that had already been cracked (presumably so new cracking machines/techniques would not have to redouble their efforts). I was able to test this theory by converting some common passwords (such as “password” and “secret”) to SHA-1, then searching for their SHA-1 string – I had no results. I was, however, able to find results after I substituted “00000” for the first five characters of the hash, indicating that this theory is at least possibly on the right track.
I few days ago I read an interesting blog post on how to use Twitter to generate wordlists, so I used the script to build a list using about 7 or 8 keywords, which provided me with 3500 words in total. I used John the Ripper to convert those hash values to the values in the leaked list, and sure enough, I got one hit! In the interest of responsibility, I won’t disclose what the word was, only that it was not an English dictionary word – to me, this only validates the use of Twitter as a good potential wordlist ally – it’s always up-to-date with slang, and it’s easy to quickly generate a list based on a foreign word or idea.
It’s important to remember that the leaked list provides about 6 million hashes and there are about 120 million people registered with LinkedIn. This could mean that this is either a partial release, or that many people are using passwords that are the same.
Also, I’d like to point out the shortsightedness of the following blog post issued by LinkedIn:
Our security team continues to investigate this morning’s reports of stolen passwords. At this time, we’re still unable to confirm that any security breach has occurred.
Innocent enough, right? They specifically mention that they have not confirmed anything related to the breach, yet the rest of the post is filled with password-creation tips, implying that maybe now is a good time to change your password. Nothing could be further from the truth – if this attacker has persistent access, there is nothing to stop this attacker from dumping the hash values again and get re-cracking. And what better sample set to learn about password-changing habits than a bunch of users who all changed their passwords in response to a breach?
Then, an hour later (I’m using twitter timestamps since LinkedIn doesn’t use timestamps on their posts), another blog post:
It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.
Okay, so they’ve implemented salting! Hurray! Unfortunately, they have not told us the cause of the breach or whether the attacker may have persistent access. We can only assume that the attacker can now only dump salted hashes instead of unsalted ones. So get ready to change that password again when LinkedIn reveals more…