How LinkedIn’s password sloppiness hurts us all | Ars Technica
Jeremi M Gosney (@jmgosney) is a world-renowned password cracker and security expert. He is the Founder & CEO of the password-cracking firm Sagitta HPC, and a member of the Hashcat development team. Jeremi also helps run the Security BSides Las Vegas, Hushcon, and PasswordsCon conferences.
Me: "The full dump from the 2012 LinkedIn breach just dropped, so you're probably not going to see much of me over the next week."
Wife: "Again?"
Yes, again. If you're just waking up from a coma you would be forgiven for thinking that it's still 2012. But no, it's 2016 and the LinkedIn breach is back from the dead-on its four-year anniversary, no less. If you had a LinkedIn account in 2012, there's a 98 percent chance your password has been cracked.
Back in 2012, fellow professional password cracker d3ad0ne (who regretfully passed away in 2013) and I made short work out of the first LinkedIn password dump, cracking more than 90 percent of the 6.4 million password hashes in just under one week. Following that effort, I did a short write-up ironically titled The Final Word on the LinkedIn Leak.
An unknown hacker posted the lists online and asked for help in cracking them.
But those 6.4 million unique hashes posted on a Russian password-cracking forum in June 2012 only accounted for a fraction of the total LinkedIn database. This second dump, on the other hand, contains 177.5 million password hashes for 164.6 million users, which aligns perfectly with LinkedIn's user count in the second quarter of 2012. After validating the data that I received with several individuals, I concluded that this does appear to be a nearly complete dump of the user table from the 2012 LinkedIn hack...
How LinkedIn’s password sloppiness hurts us all | Ars Technica
Me: "The full dump from the 2012 LinkedIn breach just dropped, so you're probably not going to see much of me over the next week."
Wife: "Again?"
Yes, again. If you're just waking up from a coma you would be forgiven for thinking that it's still 2012. But no, it's 2016 and the LinkedIn breach is back from the dead-on its four-year anniversary, no less. If you had a LinkedIn account in 2012, there's a 98 percent chance your password has been cracked.
Back in 2012, fellow professional password cracker d3ad0ne (who regretfully passed away in 2013) and I made short work out of the first LinkedIn password dump, cracking more than 90 percent of the 6.4 million password hashes in just under one week. Following that effort, I did a short write-up ironically titled The Final Word on the LinkedIn Leak.
An unknown hacker posted the lists online and asked for help in cracking them.
But those 6.4 million unique hashes posted on a Russian password-cracking forum in June 2012 only accounted for a fraction of the total LinkedIn database. This second dump, on the other hand, contains 177.5 million password hashes for 164.6 million users, which aligns perfectly with LinkedIn's user count in the second quarter of 2012. After validating the data that I received with several individuals, I concluded that this does appear to be a nearly complete dump of the user table from the 2012 LinkedIn hack...
How LinkedIn’s password sloppiness hurts us all | Ars Technica