Re: LinkedIn password database compromised

[Marshall Eubanks <marshall.eubanks () gmail com>]

On Wed, Jun 6, 2012 at 9:33 PM, Lynda <shrdlu () deaddrop org> wrote:
> Sorry to be the bearer of such bad tidings. Please note that I'm doing a
> quick copy/paste from a notification I received. I've edited it a bit.
>
> Please note that LinkedIn has weighed in with a carefully worded blog post:
>
> http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
>
> Further details:
> 1. The leak took place on June 4
> 2. LinkedIn was using unsalted SHA-1 for their password store.

Raising the issue of why Linkedin hasn't adopted the latest security
wrinkles from 1978. ( http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps
)

> 3. FYI, there are two lists. The second one appears to be from eHarmony.
> Unsalted MD5 used there.

Ditto. Normally I would complain about the use of MD5, but what's the point.

Regards
Marshall

> 4. The posted passwords are believed to be ones the cracker wanted help
> with, i.e., they have significantly more already cracked.
>
> Apparently phishing emails are already active in the wild based on the
> crack:
>
> http://bits.blogs.nytimes.com/2012/06/06/that-was-fast-criminals-exploit-linkedin-breach-for-phishing-attacks/
>
> In other words, if you have a LinkedIn account, expect that the password has
> been stolen. Go change your password now. If you used that password
> elsewhere, you know the routine. In addition, as has been pointed out
> elsewhere, there's no sign LI has fixed the problem. Expect that the
> password you change it to will also be compromised.
>
> :-(
>
> --
> A picture is worth 10K words -- but only those to describe
> the picture.  Hardly any sets of 10K words can be adequately
> described with pictures.