Linked out

Linked out

In May/June Linked in was hacked, and at least 6.5 million distinct unsalted SHA1 password hashes were taken and published.

Linked in claims it notified the users whose password hashes were leaked, and disabled their accounts.

I use Linked in, but did not hear about this until yesterday.

I checked if my password had been leaked, by downloading the unsalted SHA1 hashes from thepiratebay.se

The crackers have kindly not included usernames, and replaced several leading characters with 0s.

I used the following one-liner shell command, to find my password in the list. It was there.

comm -1 -2 <(<SHA1.txt cut -c11- | sort) <(<hashes_to_check.txt cut -c11- | sort)

Linked in could have used code like this to quickly check all of its users against the leaked hashes; but apparently they did not do it right; I was not notified.

I’m pretty sure Linked in did not disable my login. My password was unchanged.

If they notified me, I did not see the email.  I get plenty of spam from Linked in, so it might not be obvious.

There was no big flashing red message on the linked-in home page when I logged in.

That’s three major failures:

  •  servers were insecure, they let people break in
  •  unencrypted passwords (just an unsalted SHA1 hash, it’s easy to crack many passwords)
  •  insufficient notification, I use Linked in, but was not aware of this until a few days ago

That’s “three strikes”, and I can no longer trust this company. If I hear that they’ve hired a top security expert to fix up their services, I might reconsider. But I have not heard anything about that. I posted in their Q&A, but apparently their staff do not monitor those forums.

So, I will close my Linked in account shortly, after downloading my contacts and their profiles. I didn’t use it much anyway.

/me are Linked out.

This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Linked out

  1. Yahya Abdal-AzIz says:

    HI, Sam,

    Sorry to hear about this.

    How could a WIndows 7 user effectIvely find theIr password?

  2. sswam says:

    I don’t know how to do it in windows, well I do but it’s too painful in comparison. If I had to do this in windows I would install msysgit (including bash) first, then use my shell command mentioned above in that simulated unix environment. It’s probably not worth checking, just change your password.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s