LinkedIn, New Breaches Raise Issues4 Incidents Put Spotlight on Hashing Effectiveness
Four recent breach incidents are putting the spotlight on the effectiveness of various hashing techniques to encrypt passwords.
The incidents, which affected LinkedIn, eHarmony, Last.fm and League of Legends, all involved hackers gaining access to hashed passwords and posting them on underground hacking forums. Hashed passwords lists for LinkedIn and eHarmony wound up on the same forum.
In its latest update, LinkedIn has confirmed in a blog that approximately 6.5 million hashed passwords were posted on an underground hacker forum, and it acknowledges that some of the passwords were decoded and published (see:LinkedIn: Hashed Passwords Breached).
"Most of the passwords on the list appear to remain hashed and hard to decode, but unfortunately a small subset of the hashed passwords was decoded and published," the LinkedIn blog states. "To the best of our knowledge, no e-mail logins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member's account as a result of this event."
The blog goes on to say that LinkedIn, which has about 150 million global users, has since locked down and protected all accounts associated with the decoded passwords and has deactivated those potentially breached and exposed passwords.
Affected LinkedIn members have been contacted and provided instructions about how to reset their passwords, the social-networking site says.
"We are also actively working with law enforcement, which is investigating this matter," the blog continues.
Related Breach Incidents?
The three other recent breaches seem to involve similar attacks.
Last week, online dating website eHarmony warned that a "small fraction" of its more than 20 million registered users may have been affected by a breach of hashed passwords associated with their online accounts.
According to the online technology website ArsTechnica, about 1.5 million of the unsalted hashes linked to plaintext passwords associated with eHarmony accounts had already been decoded. At least 420 of the allegedly broken password hashes contained the strings "eharmony" or "harmony," the site reports.
Graham Cluley, a senior technology consultant at Sophos who blogged about the eHarmony and LinkedIn breaches, believes the timing of the two leaks is no coincidence.
"I would find it surprising if they weren't connected," Cluley says. "Of course, we'll wait to hear from both LinkedIn and eHarmony about whether they have identified how the security breach occurred."
Now two more attacks on hashed password lists could be connected as well.
Online commerce site, Last.fm, late last week revealed it, too, was hacked in a similar way. On June 7, the online music-recommendation service, which enables users to download and share music, posted a blog to warn of a possible password leak.
"This follows recent password leaks on other sites, as well as information posted online," the blog states. "As a precautionary measure, we're asking all our users to change their passwords immediately."
And on June 9, online gaming site League of Legends, which has more than 32 million registered users, posted an alert on its site to notify users that an investigation revealed some of its European databases had been breached, and that more than half of the hashed passwords stored on those databases were simple enough to crack.
"We compared encrypted password hashes and discovered that 11 passwords were shared by over 10,000 players each," the alert states. "A double-digit percentage of individuals had the same password as at least one other person."
The alert goes on to offer recommendations about establishing more secure passwords.
In addition to hashed passwords, League of Legends says users' e-mail addresses, online-gamer or summoner names, dates of birth, and, in some cases, first and last names and encrypted security questions and answers, also were breached.
The four incidents are calling attention to the inadequacy of hashing techniques used to protect passwords.
Hashing is a form of encryption used to protect passwords. The most commonly used hashing method is SHA-1, a secure hash algorithm that produces a 160-bit value for a password. So, rather than storing passwords, many online sites store hashes.
Seth Hanford, incident manager for Cisco's Product Security Incident Response Team, says SHA-1 remains the online world's most widely used technology for password hashing, but its functionality is showing its age.
Many hashes are unsalted, which makes them easy to decode or break, Hanford contends. When hashes are salted, additional information is added to the hashed value, making reverse-engineering the original password a little more difficult.
The hashes exposed in the LinkedIn, eHarmony and Last.fm breaches, were not salted, Hanford says. And based on information released about the League of Legends breach, it appears those hashes were unsalted as well.
"If the hashes had been salted, it would take the hackers longer, but not significantly longer," to figure out the hashes' values, Hanford says. "Even if they had salted the hashes, they still would have been compromised, because the salt has to be stored somewhere on the server, and that means hackers can find it."
Hanford contends many online sites and organizations have been slow to move toward more advanced password protection mechanisms, such as bcrypt, because they don't understand how vulnerable hashed passwords, unsalted and salted, have become.