June 7, 2012 - Warren Held
Linkedin & eHarmony Password Leaks
From what I read a someone from Russia uploaded a list of over 6 million SHA1 hashed Linkedin user account passwords and 1.5 million eHarmony SHA1 hashes. SHA1 isn’t a very strong encryption, plus the passwords were not salted. I just read on Google news that over 60% of the passwords have been decrypted already. I’m sure most of them have been decrypted using a dictionary attack or a dictionary permutation attack. (where each entry in the dictionary generates each combination of itself, so ABC becomes ABC & ACB & BAC & CAB & BCA etc) I downloaded the hashed password list from ThePirateBay and figured this would be an excellent time to figure out how to use hashcat. I loaded up oclhashcat-plus, set it up to use the list of hashed passwords, set it to use the mixed alpha/numeric character set, and ran it. oclhashcat-plus is the OpenCL version of hashcat (So I can brute-force the passwords on my ATI Radeon HD 6950 which is much faster than using a CPU) So far I’ve only ran it overnight one night. I was able to decrypt 7,843 passwords. I have a few dictionary files I’m going to use to run a permutation attack tonight or tomorrow. I’ll update the decrypted password list and this post as I make progress. You can download the list as an excel spreadsheet or PDF below. If anyone knows their way around hashcat and would like to join in and distribute the work with me, leave me a comment. One last thing, I just realized that these passwords aren’t technically encrypted so I probably shouldn’t say I have decrypted them. SHA1 is a hashing algorithm, not an encryption algorithm, which means that there is no way to decrypt the hashes. When you logon to Linkedin, the web site hashes the password you entered and checks it against the hash it has stored for your account. If the hashes match then that means you entered the correct password. That is how password hashes work. I have also linked the original leaked documents. Note: I’m working on cracking these for educational purposes. Usernames are not included, so you cannot use these passwords to log onto anyones account. Once these lists are decoded they will make for a good couple of password dictionaries for future cracking, though.
Decrypted Linkedin SHA1.pdf
SHA.out.xls (Decrypted Linkedin passwords in Excel)
Original Linkedin SHA1 Hash Leak
Original eHarmony SHA1 Hash Leak