

LeakedIn - ams1
http://leakedin.org/

======
pbreit
Now there's a great idea! Provide your password to some random site purporting
to check if your password's been compromised.

~~~
jerf
<http://www.inutile.ens.fr/estatis/password-security-checker/>

(BTW, be sure to type some gibberish into the provided box and hit submit, so
you can see why I think this is a very relevant link.)

~~~
mcphilip
The Terms and Conditions are hilarious:

c. You agree to pay $ 100,000 for your use of the Estatis Free Password
Security Checker if we ever ask for it.

~~~
petitmiam
"All States shall be entitled to lay submarine cables and pipelines on the bed
of the high seas."

oh dear.

~~~
anonymoushn
That's the Geneva convention. It's right after a chapter of Frankenstein.

~~~
Hethrir
Is that a Masonic Chapter? Did that happen before or after they started the
alamo?

------
eddieplan9
I made something almost the same (including name!), except all check is done
in browser:

<http://crackedin.s3-website-us-east-1.amazonaws.com/>

And it's hosted on S3 so it is faster :)

~~~
raverbashing
I just wanted the list in an easily downloadable format so I can check offline

(easily downloadable == not the rapidshare of russia, something you could
wget)

But I submitted the hash of my password and it's there so...

~~~
Hethrir
I have a torrent up of the database so you can check locally,

here:
[http://www.seedpeer.me/download/linkedin_hashes/ad1e93a1aee2...](http://www.seedpeer.me/download/linkedin_hashes/ad1e93a1aee28165daab22945b29352ec7518c71)

------
hung
I quickly wrote a script to do this locally, not the most efficient, but I'm
at work ;)

<https://github.com/hungtruong/LinkedIn-Password-Checker>

~~~
obituary_latte
Thank you. Worked for me as well...

I wonder what kind of bonkers executive at LI decided it would not be a good
idea to do a sweeping wipe of all passwords on their systems...

    
    
        for user in users:
          force_pw_reset(user);
    
        def force_pw_reset(user):
          user.pw = rand;
          user.sendResetEmail();
    

(note to LI: this isn't real code; don't use)

~~~
nickzoic
The problem isn't really your LinkedIn password ... I mean, someone could mess
up your profile, send embarrassing messages and so on, but many many people
will have used the same password for amazon, apple, paypal and other financial
things, or used the same password for an email account which can be used to
"recover" the password for one of those things.

~~~
obituary_latte
True, password re-use is a big problem.

Though, think of how much easier it would be to social-engineer a target were
you to have full access to their LI account.

------
fendrak
One suggestion: make the input box have a type of 'password'. I was only a bit
put-off by seeing my plaintext password staring me in the face!

~~~
kungfooey
Probably a good thing since it makes you think twice about submitting your
plain-text password to an unknown entity.

------
yelloblac
How about submitting the hashes over https, at the very least somebody could
be sniffing the traffic from your site and gathering the hash list for
themselves..

------
Splines
We need a "wasmylinkedinpasswordleaked.com" with <h1>yes</h1> as the content.

~~~
bevan
haha, quite funny. I made it.

~~~
isnotchicago
I don't think a Like button was in the original charter.

------
cpg
Tangencially related to some of the comments in this thread.

Amahi (my startup) started experiencing lots of spamming accounts a little
while ago. We started using blacklists and some heuristics to detect the
spammers. Then we logged the attempts.

Some interesting things emerge.

* The vast majority of them have "super123" as the password * The vast majority use emails from china (163.com, qq.com, etc.) * They try twice in a row if the first attempt fails * They try regularly

The suspicion is that they then sell these accounts in bulk for later action.
We have seen them have these accounts sitting idle, with occasional logins to
check if they still work. Then later they pounce, posting spam links, etc.

The level of sophistication of all this is rather troublesome ...

------
sontek
I think its safer to test yourself than randomly typing your password in on
websites =)

~~~
jeffgreco
You can provide your own hash, and a quick source check reveals that plaintext
is being converted into a hash client-side, so only hashed data is being sent
to the server.

~~~
thrill
'password' was actually in use - go figure.

~~~
ConstantineXVI
As is

    
    
        ********

~~~
Domenic_S
All I see is hunter2

------
joshuahedlund
Mine was not in the list. I had a non-dictionary password with letters and
numbers, 8 characters, and it was at least several months old.

(If we can collect enough data points of whose passwords are on it or not, how
old they are, and how complex the password was, we should be able to narrow
down a potential date range for the list and the odds that the compromised
list is full or partial.)

~~~
epo
You're confusing "not on the list" with "not in the hacker's possession".

~~~
pbhjpbhj
Don't all the hashes listed have "c3dxxxxx" at the end. They to me, at a
glance, look like a partial.

Head:

    
    
        00000fac2ec84586f9f5221a05c0e9acc3d2e670
        0000022c7caab3ac515777b611af73afc3d2ee50
        deb46f052152cfed79e3b96f51e52b82c3d2ee8e
        00000dc7cc04ea056cc8162a4cbd65aec3d2f0eb
        00000a2c4f4b579fc778e4910518a48ec3d2f111
        b3344eaec4585720ca23b338e58449e4c3d2f628
        674db9e37ace89b77401fa2bfe456144c3d2f708
    

Tail:

    
    
        00000e585039977da2b9c4f28fc418b8c3d2d599
        a0cad23ffd750e306bd7be8cc695d2e6c3d2d67b
        d338c29d3918574f256fc0be597d2ee0c3d2d891
        00000ad7316592e01ce0aab1cc4339b1c3d2de0d
        00000c682336158bfcd57edfe4fab7acc3d2de28
        00000d77a7b62838c5f721b30e6ee8ecc3d2deb9
        00000def8fc887cd8e910823e98ae509c3d2dedc

~~~
alister
No, just a bunch at the top and at the bottom. Just 1570 out of the 6 million.
(I did: grep 'c3d.....$' SHA1.txt |wc -l)

It's not clear to me how the file was sorted. Anyone have any ideas?

------
mrlase
"Your password was leaked and cracked. Sorry, friend."

Well that's lovely. Just changed my LinkedIn password so hopefully no one had
a chance to take advantage of that. Luckily I very recently switched to a new
password scheme so my other accounts should be secure too.

------
lucb1e
Brilliant. Next time I want someone's password I'll create a page similar to
this ("check if your password was leaked!") and pretend to spam my entire
contact list while my target is really the only person receiving it.

No seriously, how in the world can we trust this website with our password?
They don't even claim to keep your password a secret. For all we know this is
a follow-up scam to extend the 6.5mil hacked hashes.

Having a very quick glance at the HTML source, it seems they hash it before
it's sent to the site to check, but it easily might have been a scam. Or turn
into one with a probability of 1 in 10, that still gets them many passwords
while remaining to be trusted.

------
elchief
Good news, the following passwords where not leaked:

    
    
      password
    
      asdfasdf (whew!)
    
      linkedinpassword
    

The following were:

    
    
      password1
    
      password$
    
      linkedin
    
      a1a1a1a1
    
      drowssap
    
      12345678

~~~
rajbot
`password` was leaked. See this comment about the format of hashes in the
dump:

<http://news.ycombinator.com/item?id=4073928>

~~~
elchief
Hm, when I first typed those in, it said not leaked, but now it is saying
leaked for all of them. Apologies.

------
ajacksified
Beat me to my more tounge-in-cheek <http://ismylinkedinpasswordleaked.com> ;)

------
Hethrir
I think the much bigger risk here is password re-use, think if some CEO used
the same password for their website/email?

Also, torrent:
[http://www.seedpeer.me/download/linkedin_hashes/ad1e93a1aee2...](http://www.seedpeer.me/download/linkedin_hashes/ad1e93a1aee28165daab22945b29352ec7518c71)

------
Splines
My autogenerated password was in the list, and not cracked.

I've changed it anyway on linkedin.

~~~
Aleran
Same for me. "Your password was leaked, but it has not (yet) been cracked.
Fingers crossed."

Damnit, LinkedIn.

------
siavosh
I wish I could down vote or delete this article. Regardless of the creator's
intentions, there are a lot of non-techie people on HN (like one of my co-
workers) who used this site to check their linkedin password. It reinforces
fatal security habits.

------
olemartinorg
Oh.. Didn't know anyone already made this - i also made a tool, but it doesn't
send your whole hash over the wire (only the last 4 chars).
<http://olemartin.org/linkedin-passwords/>

~~~
Terretta
Nice looking page for such fast work. What about letting 'advanced' users
check the SHA1 of their password, so they don't enter their password at all
but also don't have to track down the giant file?

~~~
olemartinorg
That should work already - just use the other field and click the button. :-)
There's no giant file though, i've split the giant file into ~65000 smaller
ones that are more bandwidth friendly.

------
dsl
www.wasmylinkedinpasswordstolen.com is much better.

------
fozzle
I'm really enjoying testing completely silly passwords against the leaks.

'pooppants' is a confirmed hit. "World's Largest Professional Network". I like
to imagine some suit with a cigar logging into look for new hires with that
one.

------
david_shaw
Even if this is a completely trusted and secure site, _why_ would you not use
SSL for something like this?

Transport layer security is a serious issue, especially for people prone to
password reuse.

------
facorreia
If your hash is not on that list, it's bad news. There are indications that
the hacker published only the hashes he needed help with. The others were more
easily decoded.

------
jharding
You should add a note on the page that lets people know that checking a
password takes a minute or two.

EDIT: Actually never mind, seems like it's much faster now.

~~~
scoates
Yeah. We got hit pretty hard. It doesn't actually take a minute or two, unless
you're doing a few hundred at the same time. Fixing. (-:

~~~
mythz
Can you confirm you're not logging/recording the hashed passwords?

~~~
shiflett
We can tell you we're not, but that doesn't actually confirm anything. (We're
really not, though.)

To be safe, you should consider the SHA-1 hash of your LinkedIn password to be
public, even if it's not one of these 6.5 million.

------
JEVLON
It is helpful to have a unique password for each meaningful service you use.
That way the black-hats can't compromise your other accounts using the same
password.

------
andrewpi
My (previous) password was randomly generated, and it was on this list.
Fortunately I had already changed it when I read about the breach earlier on
Wednesday.

------
x1
huh, I have a linked in account that I don't check often and my password was
on that list. Luckily it was specific to linkedin. I don't believe this is
just a small percentage of users. Oh and I never received an email like the
blog states ([http://blog.linkedin.com/2012/06/06/linkedin-member-
password...](http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-
compromised/))... odd...

------
wouterinho
I'm wondering about the legality of this. If you take an (assumed) stolen dump
of sensitive data and turn it into a webservice, could you get in trouble?

------
btb
Ahh interesting. My password was on the list(I changed it before checking).

old password: ve78d9k6k

4c1433ca9d58d7d7ba00658d209583d8edde144a

------
anon01
I think its interesting to see what kind of passwords were in there.
"password" was of course in there, "password1" was not, "password2" was....

------
namank
Well the fun I'm having with this is checking all the trivial passwords that
people still use despite warnings.

No, mine isn't in the list.

------
will_work4tears
Somebody had the password test123. Lol. I'm going to go see what other crazy
simple passwords people have used.

------
mark-r
The link appears to be down now, either it served its nefarious purpose or
it's a victim of its own success.

------
ig1
The site should tell people to change their password anyway regardless of
whether it's in the list or not.

------
ronik
I'm amazed someone took the time to develop this without thinking of the
potential trust issues involved.

------
johnchristopher
If you leave the page opened long enough some random(?) characters fill the
input field. What for ?

------
imcotton
There is a tracking service on the results page keep sending out everything
you've just submited.

------
tazzy531
Reminds me of the Seinfeld/MovieFone episode...

"Why don't you just tell me your password..."

------
dfrey
My password was leaked and cracked. It is also the same password I use on
Hacker News. :((((

------
therandomguy
If any of your had "password" as your password, it has been compromised. I
just checked.

------
alexlitov
Your password was leaked, but it has not (yet) been cracked. Fingers crossed.

------
jes5199
yipes - apparently that site sends up an unsalted sha1 of your password. If
leaked unsalted sha1s are worth being worried about, then typing your password
into this site is just as bad as the original leak

~~~
Splines
Like others have stated, you should assume your password hash was leaked
anyway. Change it first, then put in the old password into this tool for
curiosity's sake.

------
KenCochrane
You could use the service to see if your new password was already hacked..

------
lifthrasiir
Heck, isn't it supposed to use type="password" in its input element?

------
bevan
A better solution:

www.wasmylinkedinpasswordleaked.com

------
Melug
If leaked in saves my password, I'm leaked now.

------
ryeguy_24
Genius. LinkedIn needs more of you apparently.

------
cristianocd
please make the wordlist you're getting everyone generate for you available to
download!

thanks

------
bwei
Thanks. I was a victim.

------
twodayslate
I was compromised :(

------
exit
how can they tell what was leaked but not cracked?

~~~
ckrailo
The cracked passes have hashes starting with zeros. See the discussion here:
<http://news.ycombinator.com/item?id=4073309>

------
weakwire
"binladen" was actualy used for a password at linkedin lol!

------
jheriko
this smacks of a scam...

------
STRiDEX
Someone used "georgebush"

------
lollancf37
lol

------
its_so_on
Sorry, I don't mean to be harsh, but this concept is pretty much dead on
arrival.

 _"Check if your hash is still private and secure by sending us your hash."_

Well, even if the hash _was_ secure, it isn't now!

(Unless you:

O get the whole database into the client

O ask the user to:

o reload the URL in PRIVATE browsing mode

o DISCONNECT from the network

o test the results with javascript

o close the whole browser

o reopen the browser

o finally, clear flash cookies (how do I even do that?)

o Only then reconnect to the network

All to prevent you from either reading the results afterward or, as regards
instructions to disconnect from the network, somehow changing or making a
mistake in the javascript, perhaps after we or others have verified and ok'd
it.)

If the only answer to the objection against giving you the hash is that you
don't ask for the username, you might as well ask for the password plaintext.

Sorry, the concept is pretty much dead on arrival.

Still, way to ship. (or 'nice shipping.' Should be our secret handshake :).
Good luck on the next concept.

~~~
jperras
You should consider the password and hash that you test as already compromised
and in the wild, thus making this app just a simple convenience for you and
other linkedin users.

~~~
its_so_on
But... a convenience to do what?

