LinkedIn mass hack reveals ... yup, you're all still crap at passwords

Analysis of passwords from the LinkedIn leak has revealed, should there be any doubt, that users remain terrible at choosing secure login credentials.

Last week a black hat hacker using the nickname Peace was revealed as attempting to sell 117 million LinkedIn users' emails and passwords on the dark web.

"Peace" wants 5 BTC for the stash, delayed fruits of a well-publicised LinkedIn breach back in 2012.

LinkedIn said there is "no indication that this is result of a new security breach" even though the exposure of credentials has increased from a previously admitted 6.5 million records leak to a 117 million torrent. The business-focused social network said it intended to apply a password reset to potentially compromised accounts and urged users to enable two-step verification to further protect their LinkedIn accounts.

Login credentials - especially to social media sites - are a valuable commodity for black hat hackers. A new password hash dump analysis on the LinkedIn breach from password recovery Kore Logic has revealed that many use easily cracked login IDs.

1. 123456
2. linkedin
3. password
4. 123456789
5. 12345678

“123456” appears more than a million times (1,135,936 to be precise) in the dump, a long way clear of second-placed LinkedIn (207k). The most common "base word" used in the passwords is, unsurprisingly “LinkedIn”.

Even outside the obvious security slip-up of using “123456”, “LinkedIn” or “password” as an, er, password, not enough users are using complex passwords capable of resisting brute force attacks.

By Friday, Kore Logic had recovered 48,520,000 unique passwords from the LinkedIn hash dump. Four in five (78 per cent) of the unique hashes have cracked at this point. Kore Logic has already recovered the passwords for six in seven (86 per cent) of all LinkedIn.com users in the dump.

LinkedIn evidently hashed passwords using SHA-1 without using salting, a combination of weak crypto and poor methodology that made it straightforward to crack the leaked password database. All manner of mischief has ensued.

Some reports suggest that seemingly benign hackers have begun to hijack the profiles of big name personalities using info gleaned from the dump. Twitter co-founder Biz Stone (here), Minecraft creator Markus “Notch” Persson and others have had their profile hijacked by a group called OurMine Team, Vice reports.

In related news, black hats have reduced the price of the LinkedIn credential dump (which started off retailing at 5 BTC or $2,200) and used media coverage of credentials being exploited in order to push sales. ®