Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 May 2016 10:20:00 -0400
From: Matt Weir <>
To: "" <>
Subject: Re: Complete Linkedin breach from 2012 up for sale

I stand corrected. With LinkedIn confirming this dataset it looks legit.
Now I'm really interested in the story behind the original breach!


On Wednesday, May 18, 2016, Matt Weir <> wrote:

> >>  From a hackers perspective I would say
> >. the data are of less interest, but for our research interests I say very
> >> interesting. :-)
> I agree with you 100%. Having duplicate passwords is huge when it comes to
> password research. That's one of the primary reasons people still use the
> RockYou list.
> My only point was that I'm skeptical about this particular hacker's claims
> :)
> Matt
> On Wed, May 18, 2016 at 8:16 AM, Per Thorsheim <
> <javascript:_e(%7B%7D,'cvml','');>> wrote:
>> Den 18.05.2016 14.05, skrev Matt Weir:
>> > While I have no doubt the original password list is out there with
>> > usernames, my gut feeling is that this isn't that list.
>> Hm. Well, I don't have 5 BTC, and if I had I still wouldn't make the
>> purchase. There's a line I won't cross over.
>> > Matt's Gut:
>> >
>> > 1) The LinkedIn breach was for all intents a breach of unique passwords,
>> > (yes there were some duplicates with the hash error). Based on past
>> > breaches I'd expect the full list to be slightly greater than twice as
>> > big. For example, there were around 14 million unique passwords in
>> > RockYou with a total size of 32 million. This means my guess is the full
>> > LinkedIn breach will be around 13 ~ 16 million passwords. This dump is
>> > 117 million.
>> Joseph Bonneau had a guesstimate of 5.8M unique passwords (from the
>> alleged 6.5M unique hashes) would be approx 12.5M users. See his blog
>> post from 2012 on that here:
>> > 2) The dump we saw in 2012 might not account for all the unique
>> > passwords the attacker stole. That being said, I suspect that the public
>> > dump represents a vast majority of the unique hashes stolen. This is
>> > based on personal experience, (most people I've talked to had their
>> > passwords in that breach), and how the list became public in the first
>> > place. Aka the hackers contracted with a 3rd party to crack the hashes
>> > who then posted them on InsidePro for other people to crack them. The
>> > plaintext passwords don't appear to be a set that was broken up with
>> > individual chunks given to multiple people to crack.
>> The 2012 leak was only unique SHA-1 hashes. Now there are emails and
>> names as well, according to both Troy & Motherboard. If not the full
>> leak, then at least additional info from the 6.5M chunk released in 2012.
>> > Now I certainly could be wrong. I trust Troy Hunt and he verified some
>> > of the e-mail + password combos in the 1 million sample given to
>> > motherboard. My guess there though is that some subset of those e-mail +
>> > passwords were stolen some other way, (perhaps phishing).
>> Well, its been almost 4 years. From a hackers perspective I would say
>> the data are of less interest, but for our research interests I say very
>> interesting. :-)
>> > Long story short, the full list is absolutely out there. I expect this
>> > list is mostly fake or a combination of old dumps and the "hacker" is
>> > just trying to make a name for themselves and some money. If the full
>> > LinkedIn list is in fact what's being sold, it was likely combined with
>> > other lists to make it look bigger.
>> Well, until somebody spends the 5 BTC or the data gets public we won't
>> really know. Unless those with the data at hand does more to prove their
>> authenticity. Time will show.
>> .per

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.