Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 May 2016 14:16:29 +0200
From: Per Thorsheim <>
Subject: Re: Complete Linkedin breach from 2012 up for sale

Den 18.05.2016 14.05, skrev Matt Weir:
> While I have no doubt the original password list is out there with
> usernames, my gut feeling is that this isn't that list.

Hm. Well, I don't have 5 BTC, and if I had I still wouldn't make the
purchase. There's a line I won't cross over.

> Matt's Gut:
> 1) The LinkedIn breach was for all intents a breach of unique passwords,
> (yes there were some duplicates with the hash error). Based on past
> breaches I'd expect the full list to be slightly greater than twice as
> big. For example, there were around 14 million unique passwords in
> RockYou with a total size of 32 million. This means my guess is the full
> LinkedIn breach will be around 13 ~ 16 million passwords. This dump is
> 117 million.

Joseph Bonneau had a guesstimate of 5.8M unique passwords (from the
alleged 6.5M unique hashes) would be approx 12.5M users. See his blog
post from 2012 on that here:

> 2) The dump we saw in 2012 might not account for all the unique
> passwords the attacker stole. That being said, I suspect that the public
> dump represents a vast majority of the unique hashes stolen. This is
> based on personal experience, (most people I've talked to had their
> passwords in that breach), and how the list became public in the first
> place. Aka the hackers contracted with a 3rd party to crack the hashes
> who then posted them on InsidePro for other people to crack them. The
> plaintext passwords don't appear to be a set that was broken up with
> individual chunks given to multiple people to crack.

The 2012 leak was only unique SHA-1 hashes. Now there are emails and
names as well, according to both Troy & Motherboard. If not the full
leak, then at least additional info from the 6.5M chunk released in 2012.

> Now I certainly could be wrong. I trust Troy Hunt and he verified some
> of the e-mail + password combos in the 1 million sample given to
> motherboard. My guess there though is that some subset of those e-mail +
> passwords were stolen some other way, (perhaps phishing). 

Well, its been almost 4 years. From a hackers perspective I would say
the data are of less interest, but for our research interests I say very
interesting. :-)

> Long story short, the full list is absolutely out there. I expect this
> list is mostly fake or a combination of old dumps and the "hacker" is
> just trying to make a name for themselves and some money. If the full
> LinkedIn list is in fact what's being sold, it was likely combined with
> other lists to make it look bigger.

Well, until somebody spends the 5 BTC or the data gets public we won't
really know. Unless those with the data at hand does more to prove their
authenticity. Time will show.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.