I found this analysis from a fellow network security geek in the UK to be quite interesting:

…which lends a little weight to the theory that the file primarily contains hashes which some script kiddie could not crack with basic tools, and hence makes us wonder what he’s done with all the ones which he did crack – and how much of the LinkedIn corpus that would represent?

He’s got a point. So many tools exist to easily crack these password hashes. I just tried hashcat on them using the standard Ubuntu dictionary file and cracked 20,000 of them in seconds using just my lowly laptop. So why would the hacker pretend to need help cracking them? Why post to a hacker forum where one is certain to face ridicule?

This leads me to speculate that the hacker is either enormously clueless or (perhaps more likely) aiming to embarrass and/or blackmail LinkedIn. Was this a staged demonstration of a hacker group’s power to disrupt a high-profile site? A warning to others, like Facebook and Google?

Another amusing aside is that just yesterday I used LinkedIn to send a message to a stranger who might know an old friend of mine. I tried several times to leave my email address in LinkedIn’s contact message but finally gave up: LinkedIn’s anti-spam measures are quite clever and blocked every iterations of email address obfuscation that I tried.

It’s amusing that LinkedIn can be so good at blocking spam to its users while being so bad on keeping their accounts secure!

I did some hunting for the password hash list which reportedly includes the passwords of 6.5 million accounts. After downloading the file, I did a quick search on my password “tXrNNb706+” (which has since been changed, duh):

grep -n `echo -n tXrNNb706+ | shasum | cut -c6-40` hacked.txt

This spit out the following:

4096152:b0a6f8fba1a954de7d60bf4dbc3805d1056cf443

Boom! My hash appears on line 4,096,152. Yikes!! It’s a good thing I use unique, strong alphanumeric passwords for all of my accounts! That password was only used for LinkedIn, so I know the hash list was collected from LinkedIn.

But why is this file only 6.5 million hashes, if LinkedIn has over 161 million users? My guess is that an exploit was placed on the LinkedIn servers during a certain timeframe and during that time it collected the hashes of these 6.5 million users. My compromised LinkedIn password was last changed in December 2011, about six months ago.

The whole incident has given me reason to rethink the password problem, and the problem of authentication, to see what better methods exist for proving identity in a digital world.

Bonus link: read this detailed analysis on YCombinator (warning: heavy geek quotient).