There has been a lot of press recently about 6.45 million password hashes from LinkedIn appearing online. A 120MB Zip file showed up last week on a Russian hacking site without any related account information (although the hackers likely have these details). Large volumes of account information being stolen is a common occurrence. eHarmony and Last.fm also both suffered breeches just last week.
I find the LinkedIn breech particularly interesting as the company has over 150 million registered users, who share significant amounts of personally identifiable information. Typical information associated with an account includes your current and previous employers, job titles, education, and a social graph of your professional contacts. All of this information can make targeted attacks against individuals and organizations a lot easier.
Without more information it is impossible to know how many users have been affected by this breech, and LinkedIn haven’t been very forthcoming with details on the company blog. What is know, is that there are 6,458,020 unique hashes (roughly 10% have leading 0’s and may be duplicates). It is possible this could represent tens of millions of unique user accounts.
Many Security/IT sites and blogs have covered cracking the LinkedIn hashes in fascinating detail (more than 60% of the hashes have been cracked). There has also been a great deal of discussion around the security of MD5/SHA-1 hashing, and how the passwords weren’t Salted. It is great to see active discussion, and hopefully it improves security at large.
But, I can’t help but think everyone is missing the point – how on earth were these passwords stolen? Once an attacker is inside the network and has access, they can get account information in many ways. A lot of these don’t even require access to user databases.
Securing one part of a system really well doesn’t stop an attacker using other methods, we as IT professionals really need to practice Defense in depth. Now is a really good time to start.