Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / Linked In hacked.

Author
Message
lazerus
17
Years of Service
User Offline
Joined: 30th Apr 2008
Location:
Posted: 6th Jun 2012 21:35
Link
Linked in hacked

Get your passwords changed people

Portfolio; Arthiccup.com
Lazerus Reborn on Polycount and a few other places.
Back to top
Profile PM Email
Seppuku Arts
Moderator
20
Years of Service
User Offline
Joined: 18th Aug 2004
Location: Cambridgeshire, England
Posted: 6th Jun 2012 22:12
Link
Cheers for the heads up.

Back to top
Profile PM Website
The Slayer
Forum Vice President
15
Years of Service
User Offline
Joined: 9th Nov 2009
Playing: (Hide and) Seek and Destroy on my guitar!
Posted: 6th Jun 2012 23:14
Link
Already done.

Thanks for the notice!

Back to top
Profile PM Email
BatVink
Moderator
22
Years of Service
User Offline
Joined: 4th Apr 2003
Location: Gods own County, UK
Posted: 7th Jun 2012 00:11
Link
done...but note that the passwords are not decrypted. They have only been able to match some passwords to common words (such as Linkedin, but no sane person would use that, would they????)

Back to top
Profile PM Email
Nateholio
19
Years of Service
User Offline
Joined: 30th Dec 2005
Location: I\'ve Been Everywhere
Posted: 7th Jun 2012 00:16
Link
Quote: "such as Linkedin, but no sane person would use that, would they????"


That's the kind of thing an idiot would have on his luggage!

In Development: K96 - Combat Simulation
Keep your Hope and Change, I choose individual Liberty!
Back to top
Profile PM Email
Seppuku Arts
Moderator
20
Years of Service
User Offline
Joined: 18th Aug 2004
Location: Cambridgeshire, England
Posted: 7th Jun 2012 00:24 Edited at: 7th Jun 2012 00:25
Link
@Batvink
You say that, but people do. I knew a manager whose password was...in fact, it's so obviously I don't think I have to tell you.

I stick to made up words or random words with numbers that I can remember and cycle through them.

Back to top
Profile PM Website
BatVink
Moderator
22
Years of Service
User Offline
Joined: 4th Apr 2003
Location: Gods own County, UK
Posted: 7th Jun 2012 00:56
Link
I access 20 or 30 accounts a week (legitimately), set up by clients. Around 40% set the password to the same as the user name or the product name

Back to top
Profile PM Email
DJ Almix
19
Years of Service
User Offline
Joined: 25th Feb 2006
Location: Freedom
Posted: 7th Jun 2012 02:04
Link
What's LinkedIn?


Back to top
Profile PM Email Website
Green Gandalf
VIP Member
20
Years of Service
User Offline
Joined: 3rd Jan 2005
Playing: Malevolence:Sword of Ahkranox, Skyrim, Civ6.
Posted: 7th Jun 2012 02:28 Edited at: 7th Jun 2012 02:39
Link
Interesting. LinkedIn does nothing when I click the change password button. Any ideas why?

Edit: Nevermind, the link in the first post tells you what to do.
Back to top
Profile PM Email
Seppuku Arts
Moderator
20
Years of Service
User Offline
Joined: 18th Aug 2004
Location: Cambridgeshire, England
Posted: 7th Jun 2012 02:46
Link
Quote: "What's LinkedIn?"


Social networking for professionals. The idea is to link professionals together and help them find work where they need it or just to keep people with a 'professional' relationship in contact. Also, some jobs will allow you to apply using your LinkedIn profile, which is useful. There's also job advertisements on there.

Back to top
Profile PM Website
bitJericho
22
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 7th Jun 2012 16:18
Link
Also a reminder to people, not to enter your password on leakedin or any similar service to "check if your password was hacked". That's a good way to give your password out to some third party. Even if they claim they don't keep it, they may anyway on purpose or on accident.

If you're really curious, generate the hash yourself and then use that against the list that's been published.

darkBIT TGC Torrent Tracker / File Server - AGK Chat: #agk : irc.devhat.net
Back to top
Profile PM Email Website
MrValentine
AGK Backer
14
Years of Service
User Offline
Joined: 5th Dec 2010
Playing: FFVII
Posted: 11th Jun 2012 10:06
Link
changed and updated

Back to top
Profile PM
bitJericho
22
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 11th Jun 2012 12:42 Edited at: 11th Jun 2012 12:43
Link
edit: oops post

darkBIT TGC Torrent Tracker / File Server - AGK Chat: #agk : irc.devhat.net
Back to top
Profile PM Email Website
David R
21
Years of Service
User Offline
Joined: 9th Sep 2003
Location: 3.14
Posted: 11th Jun 2012 17:19 Edited at: 11th Jun 2012 17:28
Link
Quote: "done...but note that the passwords are not decrypted. They have only been able to match some passwords to common words (such as Linkedin, but no sane person would use that, would they????)"


However, they are (unsalted) SHA-1 hashes: I'm pretty sure a GPGPU implementation exists to (brute-force) crack them in seconds / minutes, so the risk is still pretty high

EDIT:
Quote: "Also a reminder to people, not to enter your password on leakedin or any similar service to "check if your password was hacked". That's a good way to give your password out to some third party."


There is one by OnePass (I think) which can be considered 'legit'. It's also safe, since the idea is you're checking whether your password was stolen after having already changed it (it literally just hashes the text and compares it against what was stolen). Obviously, yeah, don't do it if you haven't changed your password!

09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0
Back to top
Profile PM Email Website
bitJericho
22
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 11th Jun 2012 17:30 Edited at: 11th Jun 2012 17:35
Link
Quote: "There is one by OnePass (I think) which can be considered 'legit'. It's also safe, since the idea is you're checking whether your password was stolen after having already changed it (it literally just hashes the text and compares it against what was stolen). Obviously, yeah, don't do it if you haven't changed your password!"


Who is onepass and why should we trust them? The problem is for people who don't change their password unless it is in the list. Also, it gets people used to entering their passwords on third party sites because the site tells them it's safe.

Quote: "(it literally just hashes the text and compares it against what was stolen"


Why can't you do that yourself? It'd be very simple to do, and wouldn't be at risk of having insecure connections, mitm attacks, compromised sites, or illegitimate sites.

Of course, if you use the password only at the one place, and change it before using the tool, there's really very little risk then (as long as you didn't forget another site you used the password at).

Still, I wouldn't do it if ms themselves were offering it. I'd just download the list myself and generate the hash by hand if I was that curious.

darkBIT TGC Torrent Tracker / File Server - AGK Chat: #agk : irc.devhat.net
Back to top
Profile PM Email Website
David R
21
Years of Service
User Offline
Joined: 9th Sep 2003
Location: 3.14
Posted: 11th Jun 2012 17:58 Edited at: 11th Jun 2012 18:00
Link
Quote: "Who is onepass and why should we trust them? The problem is for people who don't change their password unless it is in the list."


Turns out its actually LastPass (Here) who make a popular 'one password' piece of software. The site is SSL'd and has no insecure elements that aren't SSL'ed.

Sure, you could say 'trust nobody' but this is literally a SHA-1 calculate-and-check job (it even displays the hash to make it crystal clear that you should have already changed your password).

Quote: "Why can't you do that yourself? It'd be very simple to do, and wouldn't be at risk of having insecure connections, mitm attacks, compromised sites, or illegitimate sites."


I'm not even aware of where the hacked database is hosted, not to mention whether it's even plaintext searchable or whether it's a straight dump of specific database format. I'd imagine the same applies to most other people

Quote: "Why can't you do that yourself? It'd be very simple to do, and wouldn't be at risk of having insecure connections, mitm attacks, compromised sites, or illegitimate sites."


All of which are problems for any sites using logins which are not SSL'd by default (of which there are a huge amount).

09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0
Back to top
Profile PM Email Website
bitJericho
22
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 11th Jun 2012 19:54 Edited at: 11th Jun 2012 20:00
Link
Quote: "All of which are problems for any sites using logins which are not SSL'd by default (of which there are a huge amount)."


That's definitely an issue.

And this isn't really about an expert checking their password. You and I can fairly easily find safe services. This is more about newbs randomly putting in their password cuz they read about some password checking site on some random blog.

It's certainly not worth it to get people checking their passwords on these sites.

I mean think about it. What if, to prevent phishing, you could sign up with your bank details and those sites would email you when there's a phishing attack. The service is so useful that there's thousands of such sites, many of which are run by amateurs. Certainly a useful service, but stupid none-the-less. Ok, it's a poor analogy but it gets my point across.

Add to that, I've read that linked in hasn't even found the hole that was exploited. In that case, hackers may have your old and new password

The way around that would be to change your linked in password, changing all other sites that use that password to a different one, and using a different one for each site (or at least, different from the linkedin password). Or better yet, use a good password plugin that does some of the gruntwork for you

darkBIT TGC Torrent Tracker / File Server - AGK Chat: #agk : irc.devhat.net
Back to top
Profile PM Email Website
Back to top

Login to post a reply

Server time is: 2025-05-18 13:50:36
Your offset time is: 2025-05-18 13:50:36