By Tal Berry
On June 5th, someone posted a list of 6.5M password hashes to a hacker forum (see image below with a screenshot).
This forum specializes in hash cracking, that is, deciphering passwords that have been hashed (a method that scrambles a user’s password). Imperva’s ADC analyzed this file. In addition, one member of the forum was able to crack (i.e., find out the original password) for 100,000 of the hashes. Imperva’s ADC has this file as well (you may see more details on how password cracking works in our blog on this topic).
We believe the size of the breach is much bigger than the 6.5M accounts. Two data points indicate why:
This password list is missing the “easy” passwords. The password files do not contain easy to crack passwords such as “123456” that are traditionally the most common choice of passwords. This is strange, so why is this happening? Most likely, the hacker has figured out the easy passwords and needs help with less common ones, so the hacker only published the more complicated ones. Most likely, many of the passwords haven’t been revealed.
Passwords are typically listed only once. In other words, the list doesn’t reveal how many times a password was used by the consumers. This means that a single entry in this list can be used by more than one person. For reference, in the RockYou hack the 5,000 most popular passwords, were used by a share of 20% of the users. We believe that to be the case here as well, another indicator that the breach size exceeds 6.5M.
In addition, by analyzing the files we believe:
The passwords weren’t properly protected. The hashes, in geek speak, were unsalted sha1 hashes. Not salting is a bad practice that we detailed in last month’s report on the Militarysingles breach. Salting, in layman’s terms, complicates the process of a hacker cracking a password. Not only do you encrypt the password, but append it with a random string of characters so even if those passwords are revealed, they look like gobbledygook.
LinkedIn was probably breached but the password database doesn’t indicate this specifically. Many of the passwords contained a high volume of the word, or a variation of the word, “linkedin”. This indicates that the pool of passwords comes from LinkedIn, though the hacker hasn’t specifically made such a connection. The password set shows:
13 passwords contained “linkedin”
509 passwords contained “linked”
1134 passwords contained “link”
Therefore we can speculate that the site name is related to “link” as people tend to use the site name in a password. Recall that in the RockYou breach, the password “rockyou” was the 7th most popular on that site. Since there are no corresponding usernames, we cannot validate if these are really valid LinkedIn.com credentials. However, it’s safe to assume that the hacker was able to get them, but he does not want to give away this data to his fellow crackers.
What can we learn from this incident?
In December 2011, we report an enterprise guide to proper password management. It details how to properly store passwords so that even in the event of a breach, cracking them will be a complicated and unattractive process.
LinkedIn has officially recommended that users change their passwords.
About the author
Tal Berry is Web Researcher at Imperva.