A news story has appeared on the Russian Internet segment about the theft of passwords belonging to LinkedIn users. The media are referring to the incident as a ‘leak’, but analysts at InfoWatch maintain it was caused by a hitch in the system.
The social network LinkedIn has confirmed that 6.5 million of its users have had their passwords compromised. A file containing the data was made freely available on June 5th on the Russian hackers’ portal Insidepro.com, which specializes in looking for ways to retrieve passwords from hash. The hacker in question also claimed to know the names of his ‘victims’, but said he had no intention of disclosing them.
Nikolai Fedotov, chief analyst at InfoWatch, believes that the incident itself did not cause too much alarm in the IT community, although news of it spread like wildfire. Experts are aware that there is no way to make money out of a LinkedIn account, so it is a product that will not sell on the black market. For this reason, there was no mad dash by IT experts last night to go and change their password: instead, they simply downloaded the leaked database to their own computers, had a good look at it, tried brute-force attacks and dictionary attacks, and began to discuss consistency of hashes and possible mass inverse
«The community was concerned most of all, — continued Fedotov, — by the fact that passwords in this ‘social network for professionals’ had been encrypted in an unprofessional way, i.e. without using a ‘salt’ (something that is used to enhance an encryption). It would have been much harder to invert hash function if using a salt. But doing so barely requires any resources.
It is widely felt that this kind of omission does not reflect well on those who developed the system. And the incident itself probably occurred due to this kind of oversight, and not because of any intentional or careless acts on the part of the social network’s employees. For those of us whose job is to develop DLP systems, this is a fundamental difference».Nikolai added that the incident would not be featuring in the next analytical report by InfoWatch, which is due to be released in July.