June 07, 2012, 12:19 PM — How much bad news does it take to get spokespeople for social networks to admit anything has a negative impact?
The same hacker (apparently) who posted 6.5 million LinkedIn logins earlier this week has followed up by posting 1.5 million passwords from EHarmony, most of which have been cracked, according to Ars Technica.
The LinkedIn logins were posted still hashed (encrypted) using the SHA-1 algorithm, but without "salt," the additional characters that make passwords more secure by making it harder for crackers to guess how many letters a password contains.
The latest batch brings the total number of swiped social-network passwords to 8 million for the week, all posted by someone with the username dwdm, who likely has far more passwords on file than were posted.
EHarmony officials have so far refused to comment.
The original 6.5 million LinkedIn passwords and most of the more recent batch appear to be those that are more difficult to crack, according to Rick Redman, security consultant with consultancy Kore Logic Security.
That makes it more likely dwdm really was asking for help by adding the message "Please help to uncrack [these] hashes," at the top of a June 3 post with 1.5 million hashes, according to Ars Technica.
LinkedIn has finally admitted many of the passwords belong to its customers' accounts, but continues to minimize both the impact on customers and its own culpability in losing login data for what could be far more than 6.5 million of its 160 million members.
The LinkedIn blog post promises to email customers whose accounts were cracked to help them fix up that security themselves.
It also offers this ludicrous effort to praise itself for installing a shiny new secure lock on the door of a barn whose horses were stolen long ago and are now finding their way back disguised as dog food and glue:
"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," LinkedIn blog, Vicente Silveira, June 6, 2012.