5

I know some super basic stuff about website security (e.g. using HTTPS, escaping user input), but hearing about high profile sites getting compromised makes me wonder in what way they were broken into, and what I could do to prevent such attacks on my own websites. A few searches on Google didn't turn up anything on how exactly the attacker managed to grab 6.5 million password hashes from LinkedIn, so I wanted to see if anyone here had an idea of what happened that day?

sudhacker
  • 4,300
  • 5
  • 23
  • 35
  • You can protect your website from SQL injection by using prepared statements (e.g. mysqli::prepare in php) for at least all queries that get user input (or derivates from user input). If you're not yet using it, check it out, it has more interesting advantages. –  Sep 26 '12 at 14:38

2 Answers2

9

It was almost certainly SQL Injection. This is really the best tool when it comes to a hacker reading information out of the database. Its easy to say "oah we sanitize user input", but it only takes missing quote marks on one variable, or forgetting a single call an escape routine to leak 6.5 million password hashes. Parameterized queries (when used properly) effectively stops these common mistakes.

That being said not every password leak is SQL Injection. The recent IEEE leak was due to an HTTP log file on their FTP server. Insecure logging or not being careful with a database backup can also lead a huge leak such as this. As a pentester I see these mistakes all the time.

rook
  • 47,004
  • 10
  • 94
  • 182
9

It was SQL injection, but there are no detailed reports out there. I remember reading something about a LinkedIn Facebook plugin of some sorts which was the entry point. But that was just the breach. If you are looking to learn why the passwords were compromised, it was because of the way LinkedIn stored the passwords. They stored it as an unsalted SHA1 hash, which meant attackers could easily figure out the passwords with rainbow tables.

sudhacker
  • 4,300
  • 5
  • 23
  • 35
  • Related: [How to securely hash passwords?](http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords?lq=1) – Brendan Long Sep 26 '12 at 15:20