![]() Salting also ensures that hash-cracking lists can’t be pre-computed from a dictionary. ![]() The salt isn’t a secret cryptographic key – indeed, it’s typically stored along with the final password hash – but instead serves to ensure that if two users pick the same password, they don’t end up with the same hash. ![]() That’s because while they were encrypted, they weren’t salted: a fact that gave rise to a $5 million class action lawsuit filed against LinkedIn for failing to use industry standard security practices to protect users’ personally identifiable information (PII).Ī salt is a random string added to a password before it’s cryptographically hashed. With the right technology, it takes less time to crack them than to type them in.īut even if they were devilishly&^%$tWisted?!!!, the passwords were still sitting ducks. They’re the usual suspects: “123456,” “linkedin,” “password,” etc. LeakedSource has posted a list of what it says are the top most frequently used LinkedIn passwords. Why those encrypted passwords were so easy to crack But he changed that password as soon as Hunt reached out to him. Motherboard says it’s confirmed with a third victim that the password plucked from the dataset was his current password. Two of them confirmed that yes, the password he shared was indeed the one they’d been using at the time of the breach. Out of those 167 million accounts, 117 million have both emails and encrypted passwords, according to Motherboard.Ī LeakedSource operator told Motherboard’s Lorenzo Franceschi-Bicchierai that so far, they’d cracked “90% of the passwords in 72 hours.”Īs far as verification goes, LinkedIn confirmed that the data’s legitimate.īefore it did so, Troy Hunt, a security researcher who maintains the breach notification site “ Have I Been Pwned?,” reached out to some of the victims of the data breach. LeakedSource says it has 167,370,910 LinkedIn emails and passwords. The second place that apparently has the data is LeakedSource, a subscription-based search tool that lets people search for their leaked data. Peace has listed some 167 million LinkedIn accounts on that marketplace with an asking price of 5 bitcoin, or around $2,200. The first is a dark web marketplace called The Real Deal that’s said to sell not only drugs and digital goods such as credit cards, but also hacking tools such as zero days and other exploits. Motherboard said that the stolen data’s up for sale on one site and in the possession of another. Regardless, it appears that it’s far worse than anybody thought. In fact, LinkedIn spokesperson Hani Durzy told Motherboard that the company doesn’t actually know how many accounts were involved. LinkedIn never did spell out exactly how many users were affected by that breach. ![]() The news isn’t good: first off, what was initially thought to be a “massive” breach turns out to have been more like a massive breach that’s mainlining steroids.Īt the time of the breach 4 years ago, “only” 6.5 million encrypted (but not salted!) passwords had been posted online.īut now, there are a way-more-whopping 117 million LinkedIn account emails and passwords up for sale.Īs Motherboard reports, somebody going by the name of “Peace” says the data was stolen during the 2012 breach. If not, you better hop to it, most particularly if you reuse passwords on other sites (and please tell us you don’t – here’s why it matters!). Did you change your LinkedIn password after that massive 2012 leak of millions of passwords, which were subsequently posted online and cracked within hours?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |