Linkedin is one of the many social network I never got into. After I was recommended by a friend that it was the best way to get a job, I opened an account. Filled up my profile information and subscribed to a few interesting subjects. It didn't take long before a swarm of spammy messages invaded my inbox. Unsubscribing to a single one was an event on its own. By adding friends and strangers from my contact list, I learned of some new skills that I had. I didn't know I had them, but my peers were all ready to endorse me and validate my knowledge. It was exciting. Potential employers will look at all these feats and will fight over me like the last glass of water in the desert. Of course, that was only true in my mind.
Recruiters, or should I say automated bots were not stranger to my profile. They sent messages, requests, and at first I was excited. But after they 58th, the enthusiasm was no longer the same. Over the years, I have come to neglect the email attached to my Linkedin account. But every time I would open it, I would have to spend a good amount of time cleaning and deleting before I could get to my messages. Before long, I became tired, and decided it was time to end my relationship with the network.
I opened up linkedin.com, navigated to Privacy & Settings, a few clicks later, I confirmed that I was closing the account.
It was less than a week when the news broke and Linkedin had been hacked. 117 million passwords had been leaked. I was not spared because I closed my account only a month ago, but the hack had happened 3 years prior. Only now, the hacker had decided to release the news, 3 years after having enjoyed the privilege of owning the keys to the network.
No doubt my password had been compromised, but I always want to check it for myself. Websites like Have I been pwned allow users to check for where their accounts have been compromised. It shows that my email had been compromised in fact on Linkedin. However, I had read that Linkedin passwords were hashed. So the attacker may have had the list of passwords, but they weren't the actual passwords that you and I enter on the text box. It was the hashed password.
After a little more research, I found that the social network only used minimum measures to protect those passwords. They used the SHA1 algorithm to hash the passwords, which in the past few years had been shown to be a less than secure method. With enough resources, an attacker can daisy chain GPUs and create enough computing power to decipher SHA-1 passwords.
If only Linkedin had used a salt, it would have made it much harder to decipher those compromised key phrases, if not made it impossible.
Here is how Linkedin did their password hashing.
$password = sha1($userpassword);
I don't have the resources to get a pack of graphic cards to decipher passwords. But luckily, the good folks at Hashes.org did just that. They downloaded a copy of the pawned hashed data when it was still freely circulating the web, and decided to de-hash the passwords.
When I first accessed the website, they had dehashed 87% of the 117 million passwords. As I am writing this in July, they are at 95.88%. In a month time, we might have a complete list of Linkedin decrypted passwords as they were leaked.
So I downloaded the file. It contains only the passwords. Not the account they are associated with. This still is valuable information. I made a quick analysis. So far, I don't see the password I had used. But one interesting thing we can see is that, some passwords are long and secure. They are more than 20 characters long yet, here they are, compromised in all their complexity.
Go ahead and go to https://hashes.org/public.php and download L1nk3d1n (SHA1). Use an editor like vim (it doesn't load all 500MB in memory), and be patient as it searches for your password in the deciphered file.
When you finally find your password, remember this: You will never be able to use that password again. Not without the risk of being hacked in a matter of milliseconds.
In an age where even a vulgar WordPress website uses an uncrackable password solution, Linkedin, a company valued at billions of dollars has failed at the most basic level. A password leak at this magnitude is not something you can simply put a band-aid to. People reuse passwords on different services. Compromising one popular service is an overture to a wider range of compromises.
If you used the same password on any other service you use online, this is the moment where you go and change your password. Make sure you start with those online banking accounts.