Published Date: 2012-06-06
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident involving the leaking of passwords from LinkedIn, eHarmony, and Last.fm occurred in June 2012 as reported in Article 12864 [12864]. 2. The incident of hackers stealing passwords from LinkedIn and eHarmony, leading to a class-action lawsuit, happened in June 2012 as reported in Article 12607 [12607]. 3. The incident where Russian hackers released a list of passwords from LinkedIn, which were protected by a weak security scheme, took place in June 2012 as reported in Article 12690 [12690]. |
| System | 1. Password hashing without salting mechanism failed in the software failure incident reported in [12864]. 2. Inadequate cryptography practices, specifically the lack of salting passwords, led to the failure in the software incident reported in [12864]. 3. Weak security scheme using SHA-1 hash without additional precautions failed in the software incident reported in [12690]. |
| Responsible Organization | 1. Hackers who stole the passwords from LinkedIn, eHarmony, and Last.fm [12864, 12607, 12690] |
| Impacted Organization | 1. LinkedIn [12864, 12607, 12690] 2. eHarmony [12864, 12690] |
| Software Causes | 1. Lack of salting of passwords: The software failure incident was caused by the affected companies, such as LinkedIn, not salting the passwords before hashing them, making it easier for hackers to crack the passwords [12864, 12607, 12690]. 2. Use of weak encryption: The use of weak encryption methods, such as the SHA-1 hashing algorithm without salting, by companies like LinkedIn contributed to the vulnerability of the passwords [12864, 12690]. |
| Non-software Causes | 1. Lack of salting of passwords: The failure incident was caused by the lack of salting of passwords by companies like LinkedIn, Last.fm, and eHarmony, which would have added an extra layer of security to the hashed passwords [12864, 12607, 12690]. 2. Inadequate network fortification: Security experts mentioned that the companies should have fortified their networks better to prevent hackers from gaining unauthorized access to their servers, indicating a lack of robust network security measures [12864]. 3. Insufficient protection of user data: The incident highlighted a failure in adequately protecting sensitive user data, such as passwords, which were stored without proper encryption techniques like salting, leading to their compromise [12607, 12690]. |
| Impacts | 1. User passwords from LinkedIn, eHarmony, and Last.fm were leaked and posted on a Russian hacker forum, leading to potential unauthorized access to user accounts [12864, 12607, 12690]. 2. The leaked passwords were not adequately protected as they were hashed without being salted, making them vulnerable to automated brute force attacks [12864, 12607, 12690]. 3. A class-action lawsuit was filed against LinkedIn, seeking $5 million in damages for failing to protect members' data and violating privacy policies [12607]. 4. The incident raised concerns about the security practices of companies storing customer data and highlighted the importance of implementing standard cryptographic techniques like salting passwords [12864, 12607, 12690]. 5. Users were advised to change their passwords on affected sites, avoid password reuse, and use strong, unique passwords to mitigate the risks of unauthorized access to their accounts [12864]. 6. The incident highlighted the potential risks of data breaches, including the exposure of sensitive information such as user names, contact details, and messages, which could be exploited for social engineering attacks or corporate espionage [12864]. 7. The breach also raised questions about the security measures and transparency of popular websites like LinkedIn, emphasizing the need for stronger security standards and practices in handling user data [12864, 12690]. |
| Preventions | 1. Implementing proper cryptographic techniques such as salting in addition to hashing passwords could have prevented the software failure incident. Salting adds an extra layer of security by making each password hash unique, thus increasing the difficulty for hackers to crack passwords [12864, 12607, 12690]. 2. Regularly updating security measures and staying up-to-date with industry standards could have helped prevent the incident. Using outdated forms of cryptography like SHA-1 without salting passwords poses a higher risk of password leaks [12690]. 3. Strengthening network security to prevent unauthorized access to servers could have mitigated the risk of hackers gaining access to sensitive data. Improving network defenses could have potentially prevented the breach from occurring [12864]. 4. Enhancing transparency and communication with users about security practices and measures could have helped build trust and potentially alerted users to the risks involved. Providing clear information on how user data is protected and what steps are taken in case of a breach could have improved user awareness and security [12690]. |
| Fixes | 1. Implementing proper cryptographic techniques such as salting passwords to enhance security ([12864], [12607], [12690]). 2. Strengthening network security to prevent unauthorized access to servers ([12864]). 3. Regularly updating security measures and protocols to address vulnerabilities and potential breaches ([12690]). 4. Enhancing transparency regarding data protection practices to build trust with users ([12690]). | References | 1. InsidePro.com Russian hacker forum [12864] 2. LinkedIn [12864, 12607, 12690] 3. eHarmony [12864, 12607, 12690] 4. Security experts [12864, 12607, 12690] 5. Cryptography Research [12864] 6. Last.fm [12864] 7. CNET [12864, 12607] 8. U.S. District Court in the Northern District of California [12607] 9. ZDNet [12607] 10. AVG [12607] 11. CNNMoney [12690] 12. Sophos [12690] 13. Norwegian IT services company EVRY [12690] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - LinkedIn experienced a software failure incident related to a password leak due to weak security measures in 2012 [12864]. - The incident involved leaked passwords that were not adequately protected with salting, making them vulnerable to being cracked [12864]. - LinkedIn confirmed that they had not salted the passwords before storing them, but they started using the technique after the incident [12607]. - The incident led to a class-action lawsuit against LinkedIn for failing to protect its members' data [12607]. (b) The software failure incident having happened again at multiple_organization: - In addition to LinkedIn, eHarmony also confirmed that some of its users' passwords were stolen in the same attack [12690]. - Both LinkedIn and eHarmony were affected by the password leak incident involving weak security measures like not salting the passwords [12690]. - The incident involved a large list of leaked passwords that were not adequately protected, indicating a common vulnerability across multiple organizations [12690]. |
| Phase (Design/Operation) | design, operation | (a) In the reported software failure incident, the failure due to the design phase is evident. The incident involved a security breach where passwords from LinkedIn, eHarmony, and Last.fm were leaked due to inadequate cryptographic techniques used to protect the passwords. Specifically, the passwords were hashed but not salted, making them vulnerable to being cracked by hackers using automated brute force tools [12864, 12607, 12690]. (b) The failure due to the operation phase is also highlighted in the incident. The compromised passwords were a result of the operation or misuse of the system, where the passwords were not adequately protected. The lack of salting of passwords and the use of weak cryptographic techniques during the operation of the systems led to the breach and subsequent leakage of user passwords [12864, 12607, 12690]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident related to the leaked passwords on LinkedIn, eHarmony, and Last.fm was primarily due to contributing factors that originated from within the system. The passwords were not adequately protected as they were hashed but not salted, making them vulnerable to being cracked by hackers using automated brute force tools. LinkedIn confirmed that they did not salt the passwords before storing them, which was a critical flaw in their security measures [12864, 12607, 12690]. (b) outside_system: While the exact method of how the passwords were compromised was not disclosed by the affected companies, it is suggested that the breach likely occurred due to external factors such as hackers breaking into the servers by exploiting vulnerabilities. The incident was not attributed to a successful, large-scale phishing attack but rather to a breach where someone gained unauthorized access to the servers and obtained the data [12864]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident in the articles was primarily due to weak security measures implemented by the companies storing user passwords. The passwords were leaked and exposed on a Russian hacker forum, leading to potential unauthorized access to user accounts [12864, 12607, 12690]. - The passwords were not adequately protected as they were hashed without being salted, making them vulnerable to automated brute force attacks [12864]. - LinkedIn, eHarmony, and Last.fm were among the companies affected by the leak of passwords, indicating a widespread impact of the security breach [12864, 12607, 12690]. (b) The software failure incident occurring due to human actions: - The failure to adequately protect user passwords through salting was a result of human actions or oversight in implementing standard cryptographic techniques [12864, 12607, 12690]. - LinkedIn admitted to not salting the passwords before storing them, highlighting a human error in the implementation of security measures [12607]. - The class-action lawsuit against LinkedIn alleged that the company violated its own privacy policies and user agreements by not following industry standards, indicating potential negligence on the part of the company [12607]. |
| Dimension (Hardware/Software) | software | (a) The articles do not provide information about the software failure incident occurring due to contributing factors originating in hardware. (b) The software failure incident reported in the articles is due to contributing factors that originate in software. Specifically, the incident involved a security breach where passwords from LinkedIn, eHarmony, and Last.fm were leaked by hackers. The passwords were not adequately protected as they were hashed but not salted, making them vulnerable to being cracked using automated tools. LinkedIn confirmed that they did not salt the passwords before storing them, but they have since implemented salting for enhanced security [12864, 12607, 12690]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident reported in the articles is malicious in nature. Hackers were able to steal passwords from LinkedIn and eHarmony, leading to a security breach. The passwords were leaked on a Russian hacker forum, and it was discovered that the passwords were not adequately protected. LinkedIn confirmed that the passwords were hashed but not salted, making them vulnerable to being cracked by automated brute force tools [12864, 12607, 12690]. (b) The software failure incident was non-malicious in the sense that the companies affected did not intentionally introduce vulnerabilities to harm the system. However, the lack of proper security measures, such as salting the passwords, contributed to the breach. The incident highlighted the importance of implementing standard cryptographic techniques to protect user data effectively [12864, 12607, 12690]. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The intent of the software failure incident related to poor_decisions: - The software failure incident related to the leaking of passwords from LinkedIn, eHarmony, and Last.fm was primarily due to poor decisions made in the implementation of password security measures. LinkedIn, for example, did not salt the passwords before hashing them, which made it easier for hackers to crack the passwords and access user accounts [12864, 12607]. - Security experts highlighted that using outdated cryptographic techniques like SHA-1 without salting passwords poses a significant risk, as it allows for easier decryption of passwords, especially if they are common or repeated across accounts. This lack of salting was considered a poor decision in safeguarding user data [12690]. (b) The intent of the software failure incident related to accidental_decisions: - The software failure incident was not primarily attributed to accidental decisions or unintended mistakes. Instead, it was more focused on the deliberate choices made by the companies in implementing security measures for user passwords [12864, 12607, 12690]. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) The software failure incident related to development incompetence is evident in the case of the LinkedIn password leak incident. The incident occurred because LinkedIn did not salt the passwords before storing them, which is a standard cryptographic technique to enhance security [12864, 12607]. The lack of salting made it easier for hackers to crack the hashed passwords, leading to the compromise of millions of user passwords. This failure to implement basic security measures like salting the passwords showcases a lack of professional competence in handling sensitive user data. (b) The accidental software failure incident is demonstrated by the accidental exposure of passwords due to weak security measures implemented by LinkedIn. The use of the outdated SHA-1 hashing algorithm without salting the passwords made it easier for hackers to decode the passwords, leading to the breach [12690]. This accidental oversight in using outdated cryptography without additional security layers like salting contributed to the vulnerability exploited by hackers, resulting in the exposure of millions of passwords. |
| Duration | temporary | (a) The software failure incident in the articles was temporary. The incident involved a security breach where hackers were able to steal passwords from LinkedIn and other websites [12864, 12607, 12690]. The breach was due to weak security measures such as not salting the passwords, which made it easier for the hackers to decode the hashed passwords. The incident was not a permanent failure but rather a temporary one caused by specific vulnerabilities in the security practices of the companies involved. |
| Behaviour | other | (a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. The incident primarily revolves around a security breach where passwords were leaked due to inadequate cryptographic techniques ([12864], [12607], [12690]). (b) omission: The failure does not involve the system omitting to perform its intended functions at an instance(s). Instead, the incident is related to the leakage of passwords due to inadequate security measures ([12864], [12607], [12690]). (c) timing: The failure is not related to the system performing its intended functions correctly but too late or too early. The focus of the incident is on the compromised security leading to password leaks ([12864], [12607], [12690]). (d) value: The software failure incident does not involve the system performing its intended functions incorrectly. The main issue is the inadequate protection of user passwords leading to their exposure ([12864], [12607], [12690]). (e) byzantine: The failure is not characterized by the system behaving erroneously with inconsistent responses and interactions. The incident primarily revolves around a security breach and the leakage of passwords due to insufficient security measures ([12864], [12607], [12690]). (f) other: The behavior of the software failure incident is related to a security breach resulting in the exposure of user passwords due to inadequate cryptographic techniques such as not salting the passwords before hashing them. This failure highlights the importance of implementing proper security measures to protect sensitive user data ([12864], [12607], [12690]). |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, theoretical_consequence | (d) property: People's material goods, money, or data was impacted due to the software failure. The software failure incident described in the articles involved a security breach where hackers stole thousands of passwords from LinkedIn and eHarmony users. The stolen passwords were then posted on a public site, potentially exposing users' personal data and compromising their accounts. This incident led to concerns about the security of users' information and the need for companies to implement stronger encryption techniques like salting to protect sensitive data [12864, 12607, 12690]. |
| Domain | information, finance | (a) The failed system was related to the industry of information, specifically social networking sites like LinkedIn and Last.fm. These platforms store user data, including passwords, and were targeted by hackers resulting in a security breach [12864, 12607, 12690]. (h) The incident also has implications for the finance industry as it involves the protection of sensitive user data, such as passwords, which can have financial implications if accounts are compromised. The lawsuit against LinkedIn highlights concerns about data protection and privacy policies [12607, 12690]. (m) The incident is also relevant to the technology industry as it involves the security and encryption techniques used by companies to protect user data on their platforms [12864, 12607, 12690]. |
Article ID: 12864
Article ID: 12607
Article ID: 12690