In May/June Linked in was hacked, and at least 6.5 million distinct unsalted SHA1 password hashes were taken and published.
Linked in claims it notified the users whose password hashes were leaked, and disabled their accounts.
I use Linked in, but did not hear about this until yesterday.
I checked if my password had been leaked, by downloading the unsalted SHA1 hashes from thepiratebay.se
The crackers have kindly not included usernames, and replaced several leading characters with 0s.
I used the following one-liner shell command, to find my password in the list. It was there.
comm -1 -2 <(<SHA1.txt cut -c11- | sort) <(<hashes_to_check.txt cut -c11- | sort)
Linked in could have used code like this to quickly check all of its users against the leaked hashes; but apparently they did not do it right; I was not notified.
I’m pretty sure Linked in did not disable my login. My password was unchanged.
If they notified me, I did not see the email. I get plenty of spam from Linked in, so it might not be obvious.
There was no big flashing red message on the linked-in home page when I logged in.
That’s three major failures:
- servers were insecure, they let people break in
- unencrypted passwords (just an unsalted SHA1 hash, it’s easy to crack many passwords)
- insufficient notification, I use Linked in, but was not aware of this until a few days ago
That’s “three strikes”, and I can no longer trust this company. If I hear that they’ve hired a top security expert to fix up their services, I might reconsider. But I have not heard anything about that. I posted in their Q&A, but apparently their staff do not monitor those forums.
So, I will close my Linked in account shortly, after downloading my contacts and their profiles. I didn’t use it much anyway.
/me are Linked out.