[153463] in North American Network Operators' Group
Re: LinkedIn password database compromised
daemon@ATHENA.MIT.EDU (Marshall Eubanks)
Wed Jun 6 22:19:53 2012
In-Reply-To: <4FD004F0.4060606@deaddrop.org>
Date: Wed, 6 Jun 2012 22:19:13 -0400
From: Marshall Eubanks <marshall.eubanks@gmail.com>
To: Lynda <shrdlu@deaddrop.org>
Cc: Nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Jun 6, 2012 at 9:33 PM, Lynda <shrdlu@deaddrop.org> wrote:
> Sorry to be the bearer of such bad tidings. Please note that I'm doing a
> quick copy/paste from a notification I received. I've edited it a bit.
>
> Please note that LinkedIn has weighed in with a carefully worded blog pos=
t:
>
> http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised=
/
>
> Further details:
> 1. The leak took place on June 4
> 2. LinkedIn was using unsalted SHA-1 for their password store.
Raising the issue of why Linkedin hasn't adopted the latest security
wrinkles from 1978. ( http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps
)
> 3. FYI, there are two lists. The second one appears to be from eHarmony.
> Unsalted MD5 used there.
Ditto. Normally I would complain about the use of MD5, but what's the point=
.
Regards
Marshall
> 4. The posted passwords are believed to be ones the cracker wanted help
> with, i.e., they have significantly more already cracked.
>
> Apparently phishing emails are already active in the wild based on the
> crack:
>
> http://bits.blogs.nytimes.com/2012/06/06/that-was-fast-criminals-exploit-=
linkedin-breach-for-phishing-attacks/
>
> In other words, if you have a LinkedIn account, expect that the password =
has
> been stolen. Go change your password now. If you used that password
> elsewhere, you know the routine. In addition, as has been pointed out
> elsewhere, there's no sign LI has fixed the problem. Expect that the
> password you change it to will also be compromised.
>
> :-(
>
> --
> A picture is worth 10K words -- but only those to describe
> the picture. =A0Hardly any sets of 10K words can be adequately
> described with pictures.
>
>
