Last updated: Thursday 7th June @ 19:00
The web awoke this morning to learn that lame business network LinkedIn had been hacked. Bad news for the site’s 160 million users, even if the breach couldn’t have happened to a more deserving company. Not only had LinkedIn been molested and breached by Russian hackers, but those cabbage-pickling scamps had the audacity to sift through the site’s innards and make off with a bunch of hashed passwords. ‘A bunch’ in this case meaning over 6.5 million – approximately 5% of LinkedIn’s entire user base. The stolen loot was dumped on a Russian forum where a plea went out for help with decrypting the haul. The hacker community – ever willing to chip in when there’s booty on the horizon – swiftly fired up their botnets and set about tackling the cryptographic hashes.
LinkedIn had hashed the passwords using SHA-1 – an encryption algorithm that’s not really intended for passwords, in the same way that a fist isn’t really intended for a cervix. What’s more, because LinkedIn had used unsalted hashes, hackers were able to use dictionary attacks to speed up the decryption process. Within hours, over half of the 6.5 million passwords had been cracked, a sample of which can be viewed here. You can also check and see if your LinkedIn password was cracked by entering it here.
Once the hack had been confirmed, LinkedIn alerted users to the breach via its blog and also sent out a cautionary email. In spite of these efforts, many of the firm’s users will still be blissfully unaware that their accounts have been compromised. After all, when was the last time you paid a jot of attention to those pesky emails that LinkedIn routinely despatches?
As it stands, many of the 3.5 million cracked passwords may have already been used maliciously. Once inside a compromised account, it’s fair to assume hackers won’t be interested in your 23 Harvard connections or ‘Top Profile’ status. However they may be interested in scanning your private messages for information that can be used to access your company databases, web servers and online bank accounts. That said, once hackers have gotten hold of your LinkedIn password, they might not even bother returning to that shoddy social network, choosing instead to try your email account for size. If you’ve lazily recycled your password, expect to find an Eastern European ball-deep in your private life. (If you fancy cranking up your CPU and cracking some of the hashes yourself, incidentally, the complete SHA-1 list can be downloaded here. You can also check to see if your own password’s there, though you’ll need to encrypt it using SHA-1 first in order to search for it .)
You Dun Goofed
It would be nice to assume that no one’s stupid enough to use the same password for multiple accounts nowadays. Sadly, the internet is nothing if not a breeding ground for drooling retards. Just ask ‘computer security executive’ Aaron Barr, a man who ought to know more than most about the value of a secure password.
Last year, Barr’s ass was handed to him on a plate by LulzSec after he threatened to shop Anonymous members to the feds. Upon casually probing Barr’s HBGary website, the hackers discovered a simple security flaw and SQLi’d their way into his database, where they lifted his admin password and set about cracking it, in the same manner in which Vladimir and his pals are currently decimating the LinkedIn database.
Within hours, LulzSec had returned a positive result on Barr’s hashed password. Once unscrambled, 4036d5fe575fb46f48ffc-d5d7aeeb5af became kibafo33 and the hackers were in.
As the book ‘We Are Anonymous’ explains “Unbelievably for a cyber security specialist investigating the highly volatile Anonymous, Barr had used the same easy-to-crack password on almost all his Web accounts, including Twitter, Yahoo!, Flickr, Facebook, even World of Warcraft.”
Gifted this unexpected treasure trove of win, LulzSec did the only thing that was right given the circumstances and assumed control of Barr’s entire digital kingdom before trolling him into the stone age. The lulz lizards feasted on Barr’s spools, pwned his social media accounts and rooted, RM’d and defaced HBGary’s website. Embarrassing company emails were uploaded to The Pirate Bay, while Barr’s Twitter bio was amended to read “CEO HBGary Federal. Cybersecurity and Information Operations specialist and RAGING HOMOGAY.” His avatar also acquired a banner that simply read “NIGGER”.
Once they’d made themselves at home in Barr’s crumbling cyber security empire, LulzSec tweeted his cellphone number and invited the internet to phone him for a chat. This they duly did – in their masses. Soon, Barr’s Twitter account was spitting out such witticisms as “Sup motherfuckers, I’m CEO of a shitty company and I’m a giant media-whoring cunt. LOL check out my nigga Greg’s site: rootkit.com.”
Rootkit.com had, just like its name, been well and truly rooted along with HBGary. Over the next few weeks, LulzSec trolled Aaron Barr mercilessly, at times redirecting their own phone number to his office, where it would insistently ring off the hook.
Cool Story Bro. Now What About LinkedIn?
If your LinkedIn password’s been cracked, the odds are you’re unlikely to receive the full Aaron Barr treatment. Nevertheless, you’ll certainly want to change your password at least – especially if it’s also used for your email account – the very same email account hosting those compromising pics of you with that transexual dominatrix. (Is it possible to have uncompromising pictures taken with a transexual dominatrix?) Speaking of illicit liaisons, reports are also surfacing today that at least 1.5 million eHarmony passwords – and quite possibly all of them – have been swiped and are currently in the process of being cracked, while Last.fm are also advising all their users to change their passwords. If you’re planning on starting an affair on eHarmony, now might be a good week to commence with the philandering. When it all goes tits up after the wife discovers a series of compromising emails on your phone, you can always blame it on the work of hackers who seized control, not only of your password, but also your dick.
Whilst changing your LinkedIn or eHarmony password, you’ll also want to beef it up substantially to make it harder to crack. Harder than, say, ‘kibafo33’, or ‘linkedin’, the latter of which appears to have prefaced many of the compromised accounts. If you’ve pulled an Aaron Barr and used the same password across multiple sites, now would be a wonderful time to change them.
If there’s one lesson to be learned from the HBGary story, it’s that if you’re gonna troll someone, do it properly. Oh – and don’t use the same password everywhere cos that’s just retarded.
It’s not been a good week for LinkedIn – the company has just been forced to rush out a security update to its iOS mobile app, after it was revealed to have serious privacy flaws. LinkedIn appears to be in danger of becoming the RIM of social media – an industry joke. Facebook stock might be dropping quicker than a whore’s knickers, but at least they’ve got their infosec sorted. Facebook have no qualms about hoarding all your personal data, but there’s no way they’d permit a bunch of Soviet upstarts to pinch it back off them.
In Summary Then
If your LinkedIn password starts with ‘linkedin’, do the world a favour and an hero now. Enjoy your 6,000 LinkedIn connections while your credit card’s getting raped by Russian mobsters.
LinkedIn are on a mission to connect the world, and now the whole world is just one connection away from 6.5 million LinkedIn passwords. It doesn’t get much more linked in than that.
“Grab some canned goods and a shotgun and head to the basement.”
“It was supposed to have been a top secret telephone conference between FBI and Scotland Yard police chiefs. But there was just one flaw – someone else was listening in to their cosy chat..”