LinkedIn, eHarmony suffer password breaches

Life

7 June 2012

A New York-based web developer and his colleagues have built a web-based application for people to see if their LinkedIn password hash is among 6.5 million released on a Russian hacker forum.

The password breach, revealed on Wednesday, is significant due to the detailed personal data stored by LinkedIn and the chance for hackers to spear phish executives or spread malicious links.

LinkedIn is telling some users to reset their passwords, but there is another way for users to see if their account was compromised.

LeakedIn converts a person’s clear-text password into its corresponding cryptographic representation using the SHA-1 algorithm, which was stored by LinkedIn. It does that conversion in the browser using JavaScript and does not transmit the password elsewhere, wrote one of LeakedIn’s developers, Chris Shiflett, on his blog.

LeakedIn then checks to see if the hash is on the list of breached passwords. Not all of the hashes in the list have been converted to original passwords yet, but it is likely hackers are working on it.

Password hashes can be converted to plain-text by using powerful graphics processors and free password cracking tools such as "John the Ripper," which can be used with a regular PC, and "oclHashcat." How long that process takes depends on the passwords’ complexity. Many of the hashes in the dump have five zeros as the first five characters of the hash.

LinkedIn did not "salt" its hashes, which involves inserting random characters into the hash that make it more difficult for people trying a brute-force attack. The company said it is now salting hashes.

In other security news, online dating site eHarmony confirmed late Wednesday that passwords for its members were exposed.

"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected," wrote Becky Teraoka, of eHarmony’s corporate communications.

EHarmony didn’t say how many of its users may have been affected. The website said it had reset the passwords.

As with the LinkedIn breach, eHarmony’s 1.5 million password hashes were released in a Russian forumn in this case InsidePro, reported Ars Technica.

Hackers on InsirePro asked for help cracking the password hashes, Ars reported. But by late Wednesday, those threads on the forum appeared to have been deleted and were not available in Google’s cache.

IDG News Service

Read More:


Back to Top ↑

TechCentral.ie