LeakedIn.org - check if your password was leaked

I needed some new passwords anyway.

I need several now. Mine hasn't - well, hadn't - yet been cracked, but it can't be trusted anymore now the hash is out there and associated with an email address at my domain, even though I use a separate email address for LinkedIn.

At least it wasn't the password I use for important stuff like banking, GMail, and CUK

I'm glad I don't use LinkedIn: I had a feeling that no good would come of massive amounts of people handing over details of who they'd worked with to a faceless organisation that appeared to have a propensity for technical incompetence and spamming even before you joined it. It's just the world's biggest chain letter, and even if you were to attempt to use it to find contracts or permie jobs, I suspect the amount of spam you'd get from people you're not interested in working for/with would far outweigh any meaningful unsolicited approaches.

Don't know how long this will survive, but at the moment you can get the file and check for yourself at http://www.mediafire.com/?n307hutksjstow3

N.B. if the hash has been cracked, the first 5 characters of the hash will have been replaced with zeroes.

Getting a bit confused here.
Are you saying that if they know your LinkedIn password, that they can crack passwords that are associated with other e-mail addresses associated with the same domain?

Being a thick mainframe muppet here, but what are the actual risks to accounts associated with other passwords as a result of the LinkedIn passwords getting out?

According to that password hash testing application, the word "password" was not cracked as a password. I'm going to go right ahead and say that it's possible not all of the passwords that were actually cracked are on the list.

Correct that this almost certainly isn't the whole of the leak, which is why you should change your LinkedIn password anyway, and also change it anywhere you've used the same password.

It shows me that "password" has been cracked. Also "p4ssw0rd" and some other variants. I've also verified these against my own download of the hash file.

More to the point, it shows "linkedin", "LinkedIn", "L1nk3d1n" and similar variants, making it very likely that this is indeed a LinkedIn leak - unless the whole thing is a hoax, of course.

Oh, and "LinkedOut" which somebody no doubt thought was very cunning

It's just that I have a medium-level password used for a few different not-very-important places, and also have in the past used site-specific emails at my own domain when I suspect I'll want to easily filter stuff or track down spam, such as [email protected], or [email protected].

It's entirely possible that a hacker with access to cracked passwords and associated email addresses could filter out the ones that aren't at well-known sites like Hotmail or Yahoo, look up domains and identify those that appear to be held by individuals rather than corporations, and cross-reference with other email addresses from other cracked sites. These days, if you're using a botnet to brute-force a few million accounts against a bunch of cracked passwords, it's a trivial matter to include a couple more million possibilities made by recombining parts of email addresses.

Also, LinkedIn also had an alternate email address on record for me so, if their whole account database has been hacked (which is most likely), that email might be valid together with the cracked password (if it ever is cracked) at other sites.

Overall it's annoying but none of the things I used that password for are so important that it matters if they get broken into. LinkedIn wasn't important enough for me to use a seriously tough password, unlike banks and such. Anyway, at the time the file was created, mine still hadn't been broken, unlike 3,521,180 out of the 6,143,150 in there

Looks like mine hasn't been leaked. LinkedIn was on the "generic" list which just got the same password as it wasn't important.

These days salting really should be made mandatory.