Password breach spreads beyond LinkedIn

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen
More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network.

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network.

Security experts were warning customers of the hacked websites to be alert for fake emails which purport to warn about the breach but are in fact attempts to steal , a phenomenon known as "phishing."

The US dating website eHarmony and the British-based music site said their were also compromised and urged members to change their .

"We are currently investigating the leak of some user passwords," the website blog said.

"This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we're asking all our users to change their passwords immediately."

EHarmony's Becky Teraoka said that "a small fraction of our user base has been affected" and that "as a precaution, we have reset affected members' passwords."

Graham Cluley of the British Sophos said data from 1.5 million eHarmony passwords was uploaded to websites, "where hackers were encouraged to join forces to crack them."

Cluley also warned users of to change their passwords.

But users were also being cautioned against clicking on links that purport to be from the compromised websites. LinkedIn said it was not including any links in its warnings to customers.

Mikko Hypponen of the Finland-based firm F-Secure said a flood of such phishing emails was likely.

"First change your LinkedIn password. Then prepare for scam emails about LinkedIn password changes, linking to phishing sites. Will happen," he said in a Twitter message.

Security experts said some 6.5 million accounts were posted to a Russian hacker forum, but that figure was being debated Thursday.

The security firm Imperva said the evidence suggests "the size of the breach is much bigger than the 6.5 million accounts" and added that "the passwords weren't properly protected."

Explore further

Some LinkedIn, eHarmony passwords leaked online (Update 3)

(c) 2012 AFP

Citation: Password breach spreads beyond LinkedIn (2012, June 7) retrieved 22 August 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Jun 08, 2012
Why are they storing passwords anyway? There is NEVER a good reason to retain the password. Store hash and salt.

Are they paid to do this??

Jun 08, 2012
they were hashed you idiot... but they are hackable because there is such a thing as rainbow tables.

Jun 08, 2012
@SatanLover, I may be an idiot, but I'm right.

I didn't say store the hash - I said store the hash and salt.

The salt is some long cryptographically random value, different for each username. It's combined with the password, and the hash of that value is stored along with the chosen salt. When the user proffers a password, you look up their particular salt, combine it with the claimed password, hash the result, and check the hash matches your record.

This defeats any rainbow table because (unlike a reasonable password) the salt can be arbitrarily long. Rainbow tables have to have some kind of limit, because you have to precalculate them.

Hope that makes sense.

Jun 09, 2012
... actually I forgot the other benefit a salt gives, over merely storing hashes (which as you point out is not much better than storing passwords):

It means that all users have unique passwords. That wouldn't otherwise be the case, as passwords tend to not be actually randomly chosen.

Imagine I stole the database, plus stole a username password by some other means (including possibly guessing). I could look up the hash for that username in the database then look up all the other users that had the same hash, and immediately know their password was the same (extremely likely the same - if not just as good). I wouldn't even need a rainbow table!

With a unique salt for each user, this is impossible.

Jun 09, 2012
Wow, salts give very LITTLE(if at all) protection.
Firstof all because hackers have access to your system and your salt has to be STORED somewhere.

See? Hashes and salts provide very little protection. In fact the flame virus is designed to hack hashes(btw salts are part of the hash!)

Jun 09, 2012
You're correct that you have to assume that the attacker has the salt - after all, you're storing it right next to the hash, in your stolen database.

Imagine the salt, for just one user, is DB8A6575C505DC620207C7EE400571C. Their password is "123Kard$hians". I XOR one with the other, and get the SHA2 of the result - let's say it's 2345ABC23DF34BED4EE983459AB23908DE34CA. I store that result, and the salt, in the database. You steal the database. Your objective is to break into the website. To do that you have to find the string X that when XOR'd with DB8A6575C505DC620207C7EE400571C, produces 2345ABC23DF34BED4EE983459AB23908DE34CA.

How do you plan to do that? What possible rainbow table might you have created before the attack (without knowledge of the salt) to help? Your only option is dictionary/brute force. All stealing the database means is you can do a faster brute force attack... one user at a time.

Are you trolling? This isn't controversial.

Jun 09, 2012
You are wrong, salts only protect against bruteforcing. as in make it cost too much time to do a bruteforce.
Salts dont protect against rainbow table attacks.
And the facts salts have to be stored somewhere, gives it zero protection. At best it gives the hacker a little more crack time of a few hours to figure out how the salt is applied.

Jun 09, 2012
I'd like to continue this conversation, but I dont feel like you're counter arguing, just saying I'm wrong, and that's not a good use of your time or mine :)

Jun 09, 2012
I'm pretty sure he's trolling. I mean, he did open with "idiot" and completely dismissed all facts posted.

For anyone interested in the topic, custard is absolutely correct. Salts nullify rainbow tables. For every unique salt, a new rainbow table must be created. With millions of passwords and millions of unique salts, this becomes computationally intensive.

Detailed analysis of LinkedIn breach: http://queue.acm....=2254400

Further information about salting can be found at:

Jun 09, 2012
Now i ain't trolling, you are just an idiot as i said before.
Salts can actually increase hash collisions in brute forcing.

And if the hacker has access to the database salts also give 0 protection.

Jun 09, 2012
Suit yourself. You're not trolling, you're just that dangerous combination of clueless, arrogant, and demeaning.

Hash collisions are irrelevant to the discussion. LinkedIn used an unsalted SHA1 system. That means many of the passwords can be easily looked up in existing rainbow tables. A salt would've required generating new rainbow tables. A unique salt for every password would have required generating new tables for every salt, or an attempt to brute force each individual password. That doesn't mean the passwords can't be determined, but it does make it more computationally intensive and buy LinkedIn some time to inform their users of the breach and encourage password changes. Unique salts would have improved the situation, which is why basically ever password implementation SHOULD use them.

Unless you can show me one single published instance of SHA1 collisions being used against a large database faster than rainbow tables.'

This will be my last reply.

Jun 11, 2012
Instead of using occult terminologies try using simpler words, you bastards!!!

Jun 11, 2012
Thanks bhiestand!

BTW, I notice LinkedIn have indicated they are going to begin using salting (see their blog post dated 6/7). Apparently they think it is worthwhile.

At least they were hashing. When I log in to a new site, I click "forgot password" to see whether they will email me the password verbatim. If they do, they're certain to be storing it verbatim, which is way more naive than LinkedIn. An online greeting card site was doing this, and my credit card rewards program too. I've found that if I send them a nice email explaining how their lost password email could help a hacker buy stuff from Amazon, they change their system fairly quickly.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more