“Unsalted hashes make things easier for the bad guys and much tougher on the compromised users”
Now the truth is out on the LinkedIn data breach of 2012, it’s time to learn some lessons – and find out if you’ve been compromised
It seems an age now since LinkedIn suffered a breach and a whopping 6.5 million users found their logins had been stolen. It seems like an age because it was; 2012 to be precise. At the time, we were advised to change our passwords, as usual, and things went on, as usual. Until now, that is, with news that the true extent of that breach had more reach than we were led to believe – in the region of 117 million user logins.
Why has it taken so long to be disclosed? The answer would appear to be a hacker called Peace. We know the extent of the original compromise because Peace has advertised the entire LinkedIn breach login dump on dark market site, The Real Deal (for a measly five bitcoins, which is about £1,800). It’s taken this long to be disclosed because, until now, no-one had tried to sell the entire dump.
Peace was offering 167 million account details, but “only” 117 million have the full login info of user emails and encrypted passwords. This seems to have been confirmed by pwned data search engine LeakedSource, which is said to be in possession of the dump. Encrypted, that is, in the sense of being hashed but crucially not salted. This means that these passwords were encrypted using the SHA-1 (Secure Hash Algorithm 1) algorithm developed by the US National Security Agency, whose actions have been frowned upon of late. That’s not the bad news, however, since SHA-1 was considered safe in 2012. The bad news is the lack of salt, or random characters sprinkled into the hashes that make them harder to crack.
When the brown data hits the fan, unsalted hashes make things easier for the bad guys and tougher on the compromised users. Google is penalising sites that use SHA-1 certificates, which expire this year; Microsoft won’t be accepting them after 2016 either. SHA-1 is no longer considered secure, and SHA-256 certificates should be used instead.
Back to LeakedOut, which the social network for suits is fast becoming known as in security circles. That hashes appeared in the original leaked database, and indeed the current one, may sound like a good thing. In many ways it is, if you subscribe to the “better than nothing” school of secure thinking. The trouble is, unsalted hashes are only a little better than nothing, as so many people reuse their credentials across multiple services. Not just the same passwords, but the same usernames as well. How often have you gone to the hassle of changing your username at the same time as doing a password reset?
Anyway, once in possession of the hashes and user emails, it’s relatively straightforward to start using rainbow tables (huge lists of hashes against their known plain-text password equivalents) to pick out credential pairs to throw at email and social networking services in the hope of striking lucky.
Breach response meet facepalm
This is where the original LinkedIn breach starts to go very badly wrong. If it had been handled appropriately, then the 100+ million accounts figure wouldn’t have been a surprise to us because LinkedIn management would have ’fessed up. Now they’ll say – indeed, have said already in an official statement regarding the current situation – that in 2012, it was “the victim of an unauthorised access and disclosure of some members’ passwords” – which was vague then and remains so now.
That, according to the LinkedIn statement,“our immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorised disclosure” is of little comfort. Think about it: a mandatory password reset of 6.5 million accounts when 117 million could have been at risk.
The responsible action would have been to prioritise the 6.5 million included in the published list but to then follow up with a mandatory reset for everyone. It’s not the same as saying everyone has been hacked, but it does show that you care about your users’ security and aren’t prepared to take the risk that credentials could have been compromised.
That LinkedIn is doing this now, by “taking immediate steps to invalidate the passwords of accounts impacted” makes taking your time look like an understatement. Mind you, the careful use of words such as “for several years we have hashed and salted every password in our database” does it no favours either. I prefer the more straightforward approach, which would have been: “Since that breach in 2012...”
Where LinkedIn is getting it right is in encouraging users to enable two-step verification, along with the use of strong passwords, to strengthen secure account authentication. The problem is, pretty much everyone I’ve spoken to this past week who uses LinkedIn had absolutely no idea that a 2FA option existed. For the record, I contacted 26 users (not involved with IT security) and only two were aware.
I can’t say I’m surprised, as the site doesn’t exactly scream about it. Even once you’re on the Privacy & Settings page (by hovering over your thumbnail image top right of screen), it isn’t obvious where the 2FA option resides. Good UI design logic dictates that it should be right there on the
“LinkedIn should have prioritised the 6.5 million included in the list, following up with a mandatory reset for everyone”