LinkedIn Breach Limited to just Passwords?

Yesterday news reports of a LinkedIn data breach started to circulate the Internet. Given the press coverage this morning on national television, this certainly is not breaking news anymore. To clarify, the dump (currently available here - http://www.mediafire.com/?n307hutksjstow3 - amongst other places), only contains password hashes. This does not change the impact of the breach, just the exposure. It is almost certain that the attacker obtained full email addresses and other sensitive information from the site.

Something not widely reported this morning is what this other sensitive information may contain. Cyberis employees, as other security professionals, are frequent users of LinkedIn. Various premium services are offered to individuals, such as the ability to view full profiles, see who has viewed your profile, and use the InMail service. To take advantage of such services, individuals must supply credit card information, and of course billing addresses. In other words, this breach may not be limited to sensitive personal data as defined by the Data Protection Act (an Act of Parliament which states a company must protect your personal data). With raw database access, which we must assume given the data leaked, there is also a real possibility of the personal information of credit card holders being compromised. 

Of course, this would not necessarily be limited to individuals. Companies widely use LinkedIn for targeted advertising, investing significant money into ad campaigns. These are recurring sales, again with full card holder data being required to launch a campaign (even if using a free coupon on the site). I would not be surprised if a significant percentage of the userbase entered their details to take advantage of these free ad coupons.

It will be interesting to see how LinkedIn handle this breach. Statements are already popping up stating that affected accounts have been notified, and passwords forcibly reset. Unless this is referring to the known cracked passwords, these statements are inaccurate. My personal password was in the dump, though has not been cracked (and is unlikely to be - though LinkedIn would not be able make this judgement call). I have had no correspondence from LinkedIn, and my account is still active. For information, I believe the age of my password is less than 6 months old - suggesting this breach is fairly recent.

So far we’ve seen no reports on the cause of the breach. Direct server compromise? Insider? SQL injection? Who knows, but what we can say for sure, with this level of database access, it is not just a SHA1 hash you should be concerned about. Think about what else may be stored against your account.

Addendum
If you don’t trust the various sites that have popped up to inform you if your password has been breached - try it yourself on a Linux box. Grab the dump, and run the following command:
 

echo -n 'password' | sha1sum | cut -f 1 -d ' ' | tail -c 20 | xargs -i grep {} SHA1.txt


If it starts with a bunch of zeros, your password is compromised. If it returns your hash without zeros, it’s yet to be cracked.