Menu

Subscribe

How to check if your LinkedIn password has been stolen

Author image Raúl Santos

6.5 million passwords were stolen from LinkedIn (Slashdot, LinkedIn announcement, Mashable, NY Times) and a file containing them was released to the public. Well, not the actual passwords, just the hashes, but it’s possible to get the passwords back with some effort. Besides, there is no guarantee that those in the file were the only ones stolen, especially given that the file name is “SHA1.txt_1.rar” - that “_1” makes me wonder if there’s a “SHA1.txt_2.rar” somewhere…

Anyway, you should definitely change your LinkedIn password, as well as the password for any other sites where you use the same one.

If you want to check if your password is on the stolen file, there’s two ways you can do it.

The first one is definitely not my favourite because there’s something inherently wrong with checking if your password was stolen by typing it into a website you don’t know, but here it is anyway, since some people will not know how to use the second method. Use it at your own risk: LeakedIn

The second method is safe, as you don’t have to type your password anywhere but on your own local terminal.

First get the file containing the hashed passwords.

Then you have to get an SHA1 hash of your password. I used a two line script in Python for that: import hashlib print hashlib.sha1(“your password here”).hexdigest()

That will give you the SHA1 hash for your password. You can then check if it’s present in the file with this: grep “resulting hash” SHA1.txt

Some of the hashes in that file have their first five characters zeroed, so you may want to check just for the last 10 characters of the hash you get.

Finally, some observations about the file, from a comment on ycombinator:

Some observations on this file:

  1. This is a file of SHA1 hashes of short strings (i.e. passwords).

  2. There are 3,521,180 hashes that begin with 00000. I believe that these represent hashes that the hackers have already broken and they have marked them with 00000 to indicate that fact.

Evidence for this is that the SHA1 hash of ‘password’ does not appear in the list, but the same hash with the first five characters set to 0 is.

5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 is not present 000001e4c9b93f3f0682250b6cf8331b7ee68fd8 is present

Same story for ‘secret’:

e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 is not present 00000a1ba31ecd1ae84f75caaa474f3a663f05f4 is present

And for ’linkedin’:

7728240c80b6bfd450849405e8500d6d207783b6 is not present 0000040c80b6bfd450849405e8500d6d207783b6 is present

  1. There are 2,936,840 hashes that do not start with 00000 that can be attacked with JtR.

  2. The implication of #1 is that if checking for your password and you have a simple password then you need to check for the truncated hash.

  3. This may well actually be from LinkedIn. Using the partial hashes (above) I find the hashes for passwords linkedin, LinkedIn, L1nked1n, l1nked1n, L1nk3d1n, l1nk3d1n, linkedinsecret, linkedinpassword, …

  4. The file does not contain duplicates. LinkedIn claims a user base of 161m. This file contains 6.4m unique password hashes. That’s 25 users per hash. Given the large amount of password reuse and poor password choices it is not improbable that this is the complete password file. Evidence against that thesis is that password of one person that I’ve asked is not in the list.

Be the first to know when I post cool stuff

Subscribe to get my latest posts by email.

powered by TinyLetter