Hacker News new | past | comments | ask | show | jobs | submit login

What riddles me though, is how come 6.5 million? LinkedIn has what, 150M users?

Did they not post the entire load (and are in fact sitting on _all_ the hashes?) Is the dump an old backup or breach from when they had fewer accounts? Is it just one DB partition / file that's been lost, an archive?




Given that these hashes are not salted, running a 'uniq' on the list of all users' password hashes would probably already cut it by half, if not more. Then you eliminate all the easy ones from wordlists, and post the remains on the internet for people with excess computing power to bruteforce.


They are already unique and sorted.

sort -u combo_not.txt | wc -l 6458020

wc -l combo_not.txt 6458020


I assume the first line you meant to pipe it through uniq afer the sort? Otherwise the only thing you've demonstrated is that sorting a file doesn't change its line count. :)


"sort -u" means "sort and uniq".


Wow, I can't believe I was never aware of this. Thank you!


My password shouldn't be easy, and wasn't in the list.


Ways I've seen this play out before:

• Someone got in to one user database, but not all of them.

• Someone got into the complete user database, but were found out during the intrusion and cut off.

• Someone found a sharded DB dump or backup.

• Someone found/stole/virus'd a dev laptop with DB dumps.

• Someone sat on the network for a while and grabbed app server -> DB traffic.

Replace "Someone" with "russians," "brazilians," or "something behind tor" for more accurate portrayals.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: