Hackers crowdsource help to crack nearly 6.5 million leaked LinkedIn passwords

Nearly 6.5 million encrypted LinkedIn passwords were posted to a Russian hacker site according to Dagens IT. On June 5, the hackers linked to the 118MB hash and were crowdsourcing help to break the encryption. 


According to a cache of this site, of 6,458,020 passwords hashed with SHA-1, 236,578 passwords had allegedly been cracked before the website went down.


LinkedIn finally tweeted "Our team is currently looking into reports of stolen passwords. Stay tuned for more."


Then the company tweeted:


LinkedIn claimed, "As of March 31, 2012, LinkedIn operates the world's largest professional network on the Internet with 161 million members in over 200 countries and territories." The Norwegian Center for Information Security said to change passwords as soon as possible, reported NRK. Hopefully, people didn't reuse that password for other social networking or sensitive information sites. With over 900 LinkedIn contacts, Center Point Communications Director Mariann Schiefloe said the password leak was like "losing my mobile phone."

F-Secure's Mikko Hypponen told The Verge he thinks this is "a real collection," possibly "some sort of exploit on their web interface, but there's no way to know."


According to SlashGear, there is some speculation concerning usernames that match the SHA-1 unsalted password hashes. Norwegian security professionals have suggested the usernames may be privately revealed, may be used by the hackers for unofficial access, or may be sold off on the underground.

Per Thorsheim has received confirmation from many people that they found their password in the stolen list. In the thousands of tweets about the leaked LinkedIn passwords, others report their passwords were not on the list. Many people are stressing "change your LinkedIn password immediately" and warning to get ready for spam and phishing emails. A few tweeters are joking about having previously forgotten their password and being unable to access their LinkedIn account, but now they can via the leaked list.

It's yet another unhappy day in a series of headaches for LinkedIn and its users. Skycure Security had discovered the LinkedIn iOS app collects full meeting notes and details like passwords, times, subjects and locations from the iOS calendar before transmitting them back to the company in plain text. The Skycure researchers presented their findings at a Tel Aviv University cybersecurity conference [PDF].

CBSNews reported, "The business-networking giant's app for Apple's iPad and iPhone has an opt-in feature that allows users to view their calendar entries within the app. However, researchers Yair Amit and Adi Sharabani discovered that once enabled by the user, the app automatically transmits users' calendar entries back to LinkedIn servers."

LinkedIn responded:

For those not familiar with our calendar feature, with your permission, we sync with your mobile device's calendar to provide information about the people you are about to meet by showing you their LinkedIn profile.

In order to provide our calendar service to those who choose to use it, we need to send information about your calendar events to our servers so we can match people with LinkedIn profiles. That information is sent securely over SSL and we never share or store your calendar information.

LinkedIn Mobile Product Head Joff Redfern added what the company doesn't do and promised to improve the mobile calendar feature by no longer sending "data from the meeting notes section of your calendar event." He added, "These improvements are live on Android now and have been submitted to the Apple store and will be available shortly." Yet the Twitterverse is on fire about the leaked list of LinkedIn passwords, wanting to see improvements like shored up security.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon