(LiveHacking.Com) – LinkedIn has confirmed that passwords posted onto a Russian hacking forum belong to LinkedIn accounts. The hacker uploaded 6,458,020 hashed passwords, but no usernames. There is no current confirmation if the hacker obtained the usernames as well, but it is very likely that the hacker does have them but has simply chosen not to post them online. The passwords are an unsalted lists of SHA-1 hashes which should be hard to crack, however the SHA-1 algorithm isn’t fool proof and isn’t collision-free. Simple dictionary passwords will be easy enough to crack by creating the SHA-1 of the word and then looking in the password list for any examples of that hash. These 6.5 millions password examples will now be used to populate rainbow tables and will be an obvious choice for seeding a dictionary attack for any future database leaks.
LinkedIn has disabled the compromised accounts and is sending users an email with instructions on how to reset their passwords. It is worth nothing that there will not be any links in this email. This is because phishing attacks often rely on links in emails that lead to fake sites designed to trick people into typing in their password. Once the password has been reset any affected members will receive a second email providing a bit more context on this situation and why they are being asked to change their passwords.
LinkedIn has recently added some more security to their system including better hashing and salting of the password databases.