According to the Sophos Naked Security blog, there are rumours of the hashed password file from the LinkedIn site being found on hacking sites. If true it means that anyone with a LinkedIn account should consider their password compromised and should change it at once using the standard advice for strong passwords. The latest information is that there is very little doubt now – the file of password hashes is readily available.
Whilst the details of the story indicate that there are several “challenges” for an attacker to jump through to gain access to someone’s account :-
- The supposedly public password list is not associated with the list of usernames. If you crack a password, you will not know what account it is associated with. Except that whoever leaked the list in the first place may well know the usernames!
- Any attacker has to run a password cracker against the list. Because the list is so long, only the weakest passwords will be compromised initially. If you use a strong password, you may well be relatively safe.
Despite the “challenges”, it would be safest to assume that an attacker could get your password (and username) so to be safe change your LinkedIn password.
There are indications that a significant proportion of the password hashes have already been “cracked” – approximately 1/3 of them.
Information on password cracking has been moved from this blog entry and updated.