How to determine if your LinkedIn password has been compromised

As reports have swirled throughout the day that approximately 6.5 million LinkedIn passwords have been leaked, security experts have been trying to figure out what happened, as well as checking to see if their own passwords have been compromised.

RELATED: LinkedIn confirms breach, urges members to change compromised passwords 

LinkedIn says it will e-mail affected users and invalidate the compromised passwords. But, security experts say there are ways to check for yourself if your password was on the list.The process involves downloading the dataset of leaked passwords, converting your password into the encrypted format in which the passwords are displayed, and searching for the password in the dataset.  

All of the leaked passwords are hashed, or encrypted using SHA-1, which converts the characters that make up the password into a 40-character hash. To find the hash that’s connected to your password, there are a variety of free SHA-1 conversion tools, including from websites such as; and this free online hash converter.

Some experts warn about using such online conversion tools, however. Dave Pack is a director at LogRhythm, a log management and IT security firm, who says some of the online conversion websites hold logs of hashes that have been calculated, so he warns about using such tools if your LinkedIn password is also used as a credential for other websites.

Another way to create a hash and avoid using a conversion tool is to use a command line transcript that creates the hashtag automatically and searches for it directly in the datadump. Those command line transcripts are specific to individual operating systems.

For users of the online conversion tool, the next step is to download the set of hashed passwords. The dataset can be accessed from a variety of sites. One that continues to host the dataset is here at MediaFire. Once the file is downloaded, simply search within the text file for the password in its SHA-1 hashed format.

If the hashed password is not found, it may be listed in another form within the database. The hackers seem to have replaced the first five characters of a portion of the hashed passwords with five zeros. Pack believes those indicate hashes that have already been converted back into their native password form. To search for the hashed passwords, replace the first five characters of the hashed password with five zeros and search the document again.

Pack also warns that even if your password does not appear on the list, users should still assume that their password could be compromised. Many times, he says, hackers will only release a portion of the compromised data to prove that they have it. That means passwords of other LinkendIn users could be compromised, even if they do not appear in the dataset.

No matter if your password is on the list or not, Pack recommends changing your LinkedIn password to a strong password that has a combination of numbers, as well as upper and lowercase letters. He recommends against using common words found in a dictionary for a password.

As of now, there is no evidence that there is any link between the hashed passwords and which users those passwords belong to, but Pack says that too should not be taken for granted. It’s possible that whoever released the data could have access to user information linked to those passwords.

Gene McCully, president of StackFrame, a computer software and security firm in Florida, searched and found his unique password in the database. He’s surprised LinkedIn did not modify the passwords using a technique called “salting” to further protect the passwords. “If it had been salted, it would have made it a less dangerous leak,” he says. Salting is the process of adding user-specific data to hashed passwords, making it harder to convert the hashes into the actual password.

“That’s one of the most shocking things of this whole situation is that there are unsalted passwords,” says Pack. “It says a lot about the overall security of the site.”Without salted passwords, hackers can perform fairly simple SQL-injection attacks, which use web applications to gain insight into a database. In the company’s blogpost confirming the breach on Tuesday, LinkedIn officials say they have “just recently” added salting and hashing to the company’s current password databases.

Network World staff writer Brandon Butler covers cloud computing and social collaboration. He can be reached at and found on Twitter at @BButlerNWW.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brandon Butler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts