A publicly posted password hash dump and reports from the security research community this morning show that LinkedIn may have suffered a data breach that put the email addresses and passwords of at least 6.5 million users at risk. LinkedIn spokespeople have now at least confirmed that at least some of the data in the breach is attached to the company and numerous researchers have claimed on Twitter to have analyzed the dump and found it to be legitimate.
Initially posted on a Web forum linked to a cyberlocker site hosted in Russia, the original link to the breached data is no longer up, but mirrors already are being created with links to the list. First reported to the media in Norway by a couple of researchers, including Per Thorsheim, the password dump sparked a flurry of speculation within the security community.
“I learned about the leak some 30 hours ago and was working with this yesterday and last evening doing damage control because I’m part of an incident response team at my employer,” says Thorsheim, security adviser for EVRY ASA. “When the story broke today at around 10 a.m. Norway-time, I saw somebody else here in Norway mention it on Twitter, and I asked this person if it was smart to start the circus. He responded to me that while watching several channels used by hackers, he saw they were already talking about this in the open.”
But as more researchers have looked into the data, many have found their LinkedIn-dedicated passwords on the list, bolstering claims that LinkedIn users were exposed.
“I believe the list is legit. I had a password I only used on LinkedIn, and I’d be amazed if someone else had the same password,” says security researcher David Rook, head security analyst at Realex Payments. “I SHA1-hashed that with no salt and searched the list of hashes and found the hash for my LinkedIn password in the file.”
Similarly, Robert Graham, CEO of Errata Security, confirmed that his LinkedIn-only password is in the file, as did researcher Ching Tim Meng.
“For all infosec pros who are good in managing passwords, we use a different password for every website. The password has a certain signature that is very hard to duplicate by other 7 billion users out there, as it is long and has special significance to the user and the website,” Meng says. “I converted my password to SHA1, and searched for the hash in the dump file. The hash was found. Progressively in Twitterverse various infosec professionals have revealed that their passwords are also on the list. This means that the likelihood that this hash file stolen from LinkedIn is very high.”
It took LinkedIn the better part of the day to confirm that at least some of the data in the dump is attached to LinkedIn accounts.
“We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts,” says Vincente Silveira, director at LinkedIn, who said in a blog posting that the company is continuing to investigate the matter.
At this early date, researchers say it is too early to say how the information was stolen. But Thorsheim says that given the trend in such breaches of late, SQL injection remains a distinct possibility.
“What we have seen over the last two years with password leaks from groups like Anonymous or LulzSec and other people, it has been very common that SQL injection has been the main culprit when obtaining password hashes,” he says. “But there’s absolutely no clues anywhere whatsoever on how these were leaked.”
It also remains to be seen whether the data included in the dump comprises the entirety of the data set stolen or just a portion. According to Sam Masiello, chief security officer for Return Path, this breach could be much bigger than what early reports show.
“It’s possible that the attackers didn’t post all of the information that they have, so it is entirely possible that more records could be involved and that more of that information will come out in the coming days,” he says. “I’m sure LinkedIn will have some information for us. But what we don’t know right now is whether or not that’s the full data set of what they actually have. That’s an open question.”
Meng says the hacker may just be someone who was tasked with cracking the passwords, and there may be a “mastermind” above him. “Think about it: He has 6 million passwords at his disposal, 4 percent of the 150 million users. What if the mastermind has the entire dump, breaks it up to 25 parts, and this guy happen to be responsible for cracking these 4 percent of the users’ passwords?” Tim Meng says. “I think this is not a straightforward matter, and I will say LinkedIn will have to dig hard to find out the real answers.”
As the story develops, researchers like Marcus Carey, security researcher at Rapid7, say that LinkedIn users should change their passwords immediately, regardless of whether the company has confirmed reports. He says that they should also be prepared to do this more than once.
“Everyone should stand by for further information from LinkedIn on the compromise. By all indications it doesn’t appear that LinkedIn has contained the compromise yet, so everyone should be aware that they may have to change their passwords multiple times,” Carey says. “You should still go ahead and change it straight away, but you may have to change it for a second time if it turns out the attackers are still entrenched in LinkedIn’s systems.”
However it happened and whatever the scale, if this data does prove to be from LinkedIn’s databases, it will serve as one of several visible chinks in LinkedIn’s armor to come to light over the past month. In May, several researchers took the wraps off of vulnerabilities they found in LinkedIn’s authentication processes and in its cookie lifespans. According to Meng, the way that passwords were stored is enough to show LinkedIn may need to rethink its strategy and bolsters Thorsheim’s theory that SQL injection was the likely culprit.
“You can determine how knowledgeable the organization is in their security design from one important clue: the use of unsalted SHA1 password hash. This is a classic textbook failure on how to store hashed passwords insecurely, and this is a serious mistake,” Tim Meng says. “From this alone, I guess that they do not have world-class security designs, and thus I give a very high likelihood that the passwords were obtained via SQL injection or other code injection attacks whereby the attacker manages to skim the passwords remotely across the network.”