I did some hunting for the password hash list which reportedly includes the passwords of 6.5 million accounts. After downloading the file, I did a quick search on my password “tXrNNb706+” (which has since been changed, duh):
grep -n `echo -n tXrNNb706+ | shasum | cut -c6-40` hacked.txt
This spit out the following:
4096152:b0a6f8fba1a954de7d60bf4dbc3805d1056cf443
Boom! My hash appears on line 4,096,152. Yikes!! It’s a good thing I use unique, strong alphanumeric passwords for all of my accounts! That password was only used for LinkedIn, so I know the hash list was collected from LinkedIn.
But why is this file only 6.5 million hashes, if LinkedIn has over 161 million users? My guess is that an exploit was placed on the LinkedIn servers during a certain timeframe and during that time it collected the hashes of these 6.5 million users. My compromised LinkedIn password was last changed in December 2011, about six months ago.
The whole incident has given me reason to rethink the password problem, and the problem of authentication, to see what better methods exist for proving identity in a digital world.
Bonus link: read this detailed analysis on YCombinator (warning: heavy geek quotient).