LinkedIn passwords in circulation

2 minute read

LinkedIn_logo_initialsH-Online: Internet forums are currently circulating a list containing over six million password hashes which allegedly originate from LinkedIn. The passwords are being cracked collaboratively with about 300,000 passwords already published as plaintext.

The list contains pure SHA1 hashes with no name or email addresses. If decrypted, the passwords will not easily give access to an appropriate account. However, it is probable that the person who captured the hashes also has the corresponding email addresses. In an initial sampling, The H‘s associates at heise Security didn’t find any known LinkedIn passwords in the list, but with over 160 million members that doesn’t mean a lot. The already cracked passwords often contain “linked” or even “linkedin” in the form, for example, of “lawrencelinkedin”. This suggests that the passwords actually come from the LinkedIn social network. However, this has not yet been confirmed.

The shocking reality is that even passwords “parikh093760239”, “a06v1203n08” and “376417miata?” have already been cracked. This is due to the fact that the hashes were obviously generated without salt. This makes them easy targets for attacks using rainbow tables, which makes it possible to crack even passwords that are believed to be strong in just a few hours. For a view of what a server administrator needs to do to prevent this, read the article Storing passwords in uncrackable form at The H Security.

Whatever the case, you cannot rely on your own password to remain uncracked and so, if you have a LinkedIn account, you should change the password as soon as possible. You should also do the same for all other services where you used the same password or password root as on LinkedIn.

Learn more about this and how to change your LinkedIn password:

Find out how to create a strong password and take care of them: /en/knowledge-base/security/passwords