Sold 117 million led the British hacker dark network account data, profit was only 14,400 Yuan-hackers, led Britain, LinkedIn-IT information
One self-described "peace (Peace)," hackers are sold at a price 5 coins of 117 million LinkedIn (collar-English) login credentials, and the valuable data from an attack as early as 2012 successful activities.
According to the report, a self-proclaimed "peace" (Peace) hackers are 5 coins price (about $ 2200, 14,400 Yuan) sell 117 million LinkedIn login credentials. The hacker has been referred to the data's popular The Real Deal to sell the underground, he also confirmed data from LinkedIn in 2012, suffered a data breach incident.
2012 following that attack, about 6.5 million encrypted passwords were leaked to the Internet, but it is significantly more serious than the original.
LeakedSource: "LinkedIn.com website in June 2012, suffered a hacker attack, total 167,370,910 LeakedSource copy of the data in relation to the accounts, but contains only the message with the password. You can search in our main site LinkedIn.com to leak database and a lot of other information. If we all have personal information also exists in the database, please contact us and we will be free to be removed from the copy. ”
Analysis of LeakedSource at the same time the archive file was found containing about 167 million accounts, and about 117 million accounts containing the message with the encrypted password.
According to the view of LeakedSource, a precious archive file once by a Russia controlled by hackers professionals.
LeakedSource confirmation said, these passwords using the SHA1 algorithm for hashing, but not "salt".
One of LeakedSource operations in an interview pointed out that up to now they have ' break 90% password in 72 hours. ’
Here's the archive of five of the most frequently occurring LinkedIn login password:
Make any comment is superfluous ... ... Right? >_<|||
Of course, any still in use within the archive already contains a user password credentials will be at risk and should be changed as soon as possible to verify the contents.
On Tuesday when commenting on the incident, LinkedIn company spokesman Hani Durzy said the company's security team had to review the incident, but they were unable to confirm the legality of the data. However, Durzy also admits that in 2012, 6.5 million has been released to the network password hash value may only be part of the stolen information.
"We don't know exactly how many passwords already out," Durzy said in a telephone interview.
Experiences and lessons:
LinkedIn for companies like four years ago, today's lesson--do not store password information in an insecure manner. But for LinkedIn users, four years if you have not changed your password, please do it immediately--especially if you still use LinkedIn account to log on to other services (Besides, do not reuse the same password).
"Password reuse high rate means that we will find more accounts will be affected," Hunt told us.
Another lesson is that sometimes, even older leaked data is still valuable, so some of the passwords may still be in use by users.
黑客暗网出售1.17亿领英账户数据,仅获利1.44万元 - 黑客,领英,LinkedIn - IT资讯
一位自称为“和平(Peace)”的黑客正以5比特币价码出售1.17亿条LinkedIn(领英)登录凭证,而这些宝贵的数据则来自早在2012年得手的一次攻击活动。
根据报道,一位自称为“和平”(Peace)的黑客正以5比特币价码(约合2200美元,1.44万元人民币)出售1.17亿条LinkedIn登录凭证。这名黑客已经将数据交由高人气地下市场The Real Deal代为出售,他同时亦确认称这些数据源自LinkedIn于2012年遭遇的一次数据泄露事故。
2012年那次攻击活动之后,约有650万条加密密码被泄露至网上,但目前的事态明显较当初更为严重。
LeakedSource指出:“LinkedIn.com网站于2012年6月遭遇黑客攻击,当时总计1亿6737万910个账户的数据副本被LeakedSource所获得,但其中只包含邮件与密码。大家可以在我们的主站中搜索到当时泄露的LinkedIn.com数据库及大量其它信息。如果大家的个人信息也存在于该数据库中,请与我们联系,我们将免费将其从副本中移除。”
LeakedSource同时对归档文件进行了分析,发现其中包含约1.67亿个账户,而且约有1.17亿个账户同时包含邮件与加密密码。
根据LeakedSource方面的说法,这一珍贵的归档文件曾由一位俄罗斯黑客人员所掌握。
LeakedSource方面确认称,这些密码利用SHA1算法进行散列处理,但并未进行“salt”。
LeakedSource的一位运营人员在采访中指出,截至目前他们已经‘在72小时内破解了90%密码内容。’
下面我们来看该归档文件中出现频率最高的五条LinkedIn登录密码:
再做任何评论都是多余的……对吧?>_<|||
当然,任何仍在使用归档文件内已包含密码凭证的用户都将面临风险,且应当尽快对验证内容加以变更。
在本周二对这一事件做出评论时,LinkedIn公司发言人Hani Durzy表示该公司的安全团队曾经对事故进行审查,但当时他们无法确认数据是否合法。不过Durzy同时坦言,2012年曾被发布到网络上的650万条密码哈希值可能只是失窃信息中的一部分。
“我们不清楚到底有多少密码已经流出,”Durzy在电话采访中表示。
经验教训:
对于LinkedIn公司来说,如今的教训同四年前一样——别以非安全方式存储密码信息。而对于LinkedIn的用户而言,如果大家这四年来一直没有变更密码,请马上动手进行——特别是如果还在利用LinkedIn账户登录其它服务(另外,千万别重复使用同一密码)。
“密码复用率高企意味着我们将发现更多其它账户会因此受到影响,”Hunt告诉我们。
另一项教训在于,即使是陈旧的泄露数据有时候也仍具价值,因此其中部分密码可能仍在为用户所使用。