Following the recent LinkedIn breach, the company has stated that their current production database contains salted passwords. Obviously this was not the case at the time of the breach (SHA1, unsalted), so a salt value must have been added to improve security. But how can you add a salt value to a password hash, if you don't know the password?
Firstly, let's consider the difference between a salted and unsalted password hash:
Initially you might think this issue is limited to exposure of personal information of LinkedIn users, unauthorised access to the website and potentially others. Cyberis would urge employers and security professionals to consider the potential impacts of the LinkedIn breach to their organisation.
Yesterday news reports of a LinkedIn data breach started to circulate the Internet. Given the press coverage this morning on national television, this certainly is not breaking news anymore. To clarify, the dump (currently available here - http://www.mediafire.com/?n307hutksjstow3 - amongst other places), only contains password hashes. This does not change the impact of the breach, just the exposure. It is almost certain that the attacker obtained full email addresses and other sensitive information from the site.