Hacker Claims He Stole 4.5M LinkedIn Password Hashes

LinkedIn is investigating claims by a Russian hacker that he broke into the company’s network and stole nearly 4.5 million password hashes for user accounts, according to a Twitter message the company sent out on Wednesday.

The hacker posted a file to a Russian forum that contains LinkedIn password hashes, and some LinkedIn users have tweeted that they found their hashes among them. The posted file did not contain usernames of account holders.

LinkedIn encrypts account passwords using the SHA-1 algorithm. The algorithm converts a password to a hex string, which can look like this: abf26a4849e5d97882fcdce5757ae6028281192. But since many people use easy-to-guess passwords, such as “password” or “1234″ or common words found in the dictionary, knowing the algorithm used to hash the passwords makes it trivial to crack them.

PC World is reporting that more than 200,000 of the passwords have been cracked already.

Per Thorsheim, a security adviser based in Norway, told the publication that he and at least 12 other people in the security community have found hashes of their LinkedIn passwords in the file.

There are ways to make password hashes more difficult to crack, through adding random bits, known as a salt, to the hash. But security experts are reporting that LinkedIn appears not to have done this.

Photo: Ferran Rodenas/Flickr