Password breach spreads beyond LinkedIn

Jun 07, 2012
More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network.

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network.

Security experts were warning customers of the hacked websites to be alert for fake emails which purport to warn about the breach but are in fact attempts to steal , a phenomenon known as "phishing."

The US dating website eHarmony and the British-based music site Lastfm.com said their were also compromised and urged members to change their .

"We are currently investigating the leak of some Last.fm user passwords," the website blog said.

"This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we're asking all our users to change their passwords immediately."

EHarmony's Becky Teraoka said that "a small fraction of our user base has been affected" and that "as a precaution, we have reset affected members' passwords."

Graham Cluley of the British Sophos said data from 1.5 million eHarmony passwords was uploaded to websites, "where hackers were encouraged to join forces to crack them."

Cluley also warned users of Lastfm.com to change their passwords.

But users were also being cautioned against clicking on links that purport to be from the compromised websites. LinkedIn said it was not including any links in its warnings to customers.

Mikko Hypponen of the Finland-based firm F-Secure said a flood of such phishing emails was likely.

"First change your LinkedIn password. Then prepare for scam emails about LinkedIn password changes, linking to phishing sites. Will happen," he said in a Twitter message.

Security experts said some 6.5 million accounts were posted to a Russian hacker forum, but that figure was being debated Thursday.

The security firm Imperva said the evidence suggests "the size of the breach is much bigger than the 6.5 million accounts" and added that "the passwords weren't properly protected."

Explore further: Belarus tightens control over online media

add to favorites email to friend print save as pdf

Related Stories

Spotlight falls on Sony's troubled cybersecurity

Jun 03, 2011

(AP) -- Another massive data breach at Sony has left hackers exulting, customers steaming and security experts questioning why basic fixes haven't been made to the company's stricken cybersecurity program.

Gawker hack underscores flaws with passwords

Dec 19, 2010

The fallout from a hacking attack on Gawker Media Inc. a week ago underscores a basic security risk of living more of our lives online: Using the same username and password for multiple sites is convenient, but costly.

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

More Sony websites hacked, 8,500 Greek accounts hit

May 24, 2011

Sony on Tuesday said its websites in three countries had been hacked with 8,500 Greek user accounts compromised, in a blow to efforts to restore confidence after a huge data breach affecting millions.

Recommended for you

Digital dilemma: How will US respond to Sony hack?

3 hours ago

The detective work blaming North Korea for the Sony hacker break-in appears so far to be largely circumstantial, The Associated Press has learned. The dramatic conclusion of a Korean role is based on subtle ...

UN General Assembly OKs digital privacy resolution

7 hours ago

The U.N. General Assembly has approved a resolution demanding better digital privacy protections for people around the world, another response to Edward Snowden's revelations about U.S. government spying.

Online privacy to remain thorny issue: survey

8 hours ago

Online privacy will remain a thorny issue over the next decade, without a widely accepted system that balances user rights and personal data collection, a survey of experts showed Thursday.

Spain: Google News vanishes amid 'Google Tax' spat

Dec 16, 2014

Google on Tuesday followed through with a pledge to shut down Google News in Spain in reaction to a Spanish law requiring news publishers to receive payment for content even if they are willing to give it away.

User comments : 13

Adjust slider to filter visible comments by rank

Display comments: newest first

custard
1 / 5 (1) Jun 08, 2012
Why are they storing passwords anyway? There is NEVER a good reason to retain the password. Store hash and salt.

Are they paid to do this??
SatanLover
0.7 / 5 (24) Jun 08, 2012
they were hashed you idiot... but they are hackable because there is such a thing as rainbow tables.
custard
2.3 / 5 (3) Jun 08, 2012
@SatanLover, I may be an idiot, but I'm right.

I didn't say store the hash - I said store the hash and salt.

The salt is some long cryptographically random value, different for each username. It's combined with the password, and the hash of that value is stored along with the chosen salt. When the user proffers a password, you look up their particular salt, combine it with the claimed password, hash the result, and check the hash matches your record.

This defeats any rainbow table because (unlike a reasonable password) the salt can be arbitrarily long. Rainbow tables have to have some kind of limit, because you have to precalculate them.

Hope that makes sense.
custard
2.3 / 5 (3) Jun 09, 2012
... actually I forgot the other benefit a salt gives, over merely storing hashes (which as you point out is not much better than storing passwords):

It means that all users have unique passwords. That wouldn't otherwise be the case, as passwords tend to not be actually randomly chosen.

Imagine I stole the database, plus stole a username password by some other means (including possibly guessing). I could look up the hash for that username in the database then look up all the other users that had the same hash, and immediately know their password was the same (extremely likely the same - if not just as good). I wouldn't even need a rainbow table!

With a unique salt for each user, this is impossible.
SatanLover
0.7 / 5 (23) Jun 09, 2012
Wow, salts give very LITTLE(if at all) protection.
Firstof all because hackers have access to your system and your salt has to be STORED somewhere.

See? Hashes and salts provide very little protection. In fact the flame virus is designed to hack hashes(btw salts are part of the hash!)
custard
2.3 / 5 (3) Jun 09, 2012
You're correct that you have to assume that the attacker has the salt - after all, you're storing it right next to the hash, in your stolen database.

Imagine the salt, for just one user, is DB8A6575C505DC620207C7EE400571C. Their password is "123Kard$hians". I XOR one with the other, and get the SHA2 of the result - let's say it's 2345ABC23DF34BED4EE983459AB23908DE34CA. I store that result, and the salt, in the database. You steal the database. Your objective is to break into the website. To do that you have to find the string X that when XOR'd with DB8A6575C505DC620207C7EE400571C, produces 2345ABC23DF34BED4EE983459AB23908DE34CA.

How do you plan to do that? What possible rainbow table might you have created before the attack (without knowledge of the salt) to help? Your only option is dictionary/brute force. All stealing the database means is you can do a faster brute force attack... one user at a time.

Are you trolling? This isn't controversial.
SatanLover
0.7 / 5 (24) Jun 09, 2012
You are wrong, salts only protect against bruteforcing. as in make it cost too much time to do a bruteforce.
Salts dont protect against rainbow table attacks.
And the facts salts have to be stored somewhere, gives it zero protection. At best it gives the hacker a little more crack time of a few hours to figure out how the salt is applied.
custard
2.3 / 5 (3) Jun 09, 2012
I'd like to continue this conversation, but I dont feel like you're counter arguing, just saying I'm wrong, and that's not a good use of your time or mine :)
bhiestand
1 / 5 (1) Jun 09, 2012
I'm pretty sure he's trolling. I mean, he did open with "idiot" and completely dismissed all facts posted.

For anyone interested in the topic, custard is absolutely correct. Salts nullify rainbow tables. For every unique salt, a new rainbow table must be created. With millions of passwords and millions of unique salts, this becomes computationally intensive.

Detailed analysis of LinkedIn breach: http://queue.acm....=2254400

Further information about salting can be found at:
http://crackstati...rity.htm
http://www.addedb...-hashes/
http://en.wikiped...ography)
SatanLover
0.5 / 5 (23) Jun 09, 2012
Now i ain't trolling, you are just an idiot as i said before.
Salts can actually increase hash collisions in brute forcing.

And if the hacker has access to the database salts also give 0 protection.
bhiestand
1 / 5 (1) Jun 09, 2012
Suit yourself. You're not trolling, you're just that dangerous combination of clueless, arrogant, and demeaning.

Hash collisions are irrelevant to the discussion. LinkedIn used an unsalted SHA1 system. That means many of the passwords can be easily looked up in existing rainbow tables. A salt would've required generating new rainbow tables. A unique salt for every password would have required generating new tables for every salt, or an attempt to brute force each individual password. That doesn't mean the passwords can't be determined, but it does make it more computationally intensive and buy LinkedIn some time to inform their users of the breach and encourage password changes. Unique salts would have improved the situation, which is why basically ever password implementation SHOULD use them.

Unless you can show me one single published instance of SHA1 collisions being used against a large database faster than rainbow tables.'

This will be my last reply.
amorsharif
not rated yet Jun 11, 2012
Instead of using occult terminologies try using simpler words, you bastards!!!
custard
not rated yet Jun 11, 2012
Thanks bhiestand!

BTW, I notice LinkedIn have indicated they are going to begin using salting (see their blog post dated 6/7). Apparently they think it is worthwhile.

At least they were hashing. When I log in to a new site, I click "forgot password" to see whether they will email me the password verbatim. If they do, they're certain to be storing it verbatim, which is way more naive than LinkedIn. An online greeting card site was doing this, and my credit card rewards program too. I've found that if I send them a nice email explaining how their lost password email could help a hacker buy stuff from Amazon, they change their system fairly quickly.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.