3649 posts Community Moderator
  • Has been a member for 5-6 years
  • Contributed a Tutorial to a Tuts+ Site
  • Netherlands
  • Community Moderator
  • Microlancer Beta Tester
  • Sold between 10 000 and 50 000 dollars
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
  • Exclusive Author
+4 more
Joost Volunteer moderator says

Perhaps I’m being a paranoid parrot (seeing as even Envato notes recommends a similar checker by LastPass ), but..


Haha, but really – there shouldn’t be much concern – they don’t have your email so there’s not much risk.

How do you know? Is it very likely that whoever posted those hashes also has a list of email addresses, and the owner of leakedin.org could be anyone.


If you have a strong password it’ll take a very long time to crack – I’d say very little risk even if they were storing the SHA -1 hash you submitted.

Whoever owns this site could be getting quite a nice rainbow table of people checking if their passwords, factoring out password length as a security measure ;)

Rule of thumb: never ever ever ever enter your password anywhere but in the login form of the site you’re using it for. I realise the source of LeakedIn.org looks very trustworthy and clear, with their hashIt() in the on-submit and all, but I hardly believe I’m capable of spotting every Javascript trickery he could pull to still have the cleartext password. Heck, you would have to check if he actually implemented SHA1 correctly (which would mean you’d be hashing it yourself anyway). Also, I doubt everyone who filled in their password there actually read the source.

EDIT : Using a network sniffer one can indeed verify that LeakedIn.org only sends out hashes. Still, never enter your password anywhere but where it’s ment to go.

203 posts
  • Bought between 1 and 9 items
  • Canada
  • Exclusive Author
  • Has been a member for 4-5 years
  • Referred between 10 and 49 users
  • Sold between 1 000 and 5 000 dollars
iLochie says

EDIT : Using a network sniffer one can indeed verify that LeakedIn.org only sends out hashes. Still, never enter your password anywhere but where it’s ment to go.
This is definitely a good rule of thumb, I suppose I shouldn’t be advertising “yeah enter your password it’ll be fine.” But the story is that the emails were retained, but the passwords were distributed in a file so people can generate brute force lists (I guess.) Chrome’s got a built in network sniffer that’ll tell you about all incoming and outgoing traffic – specifically the XHR request I mentioned previously are the ones called after the page loads – generally AJAX . I assumed for the most part that this wouldn’t be very dangerous, but again it’s always smart to keep your passwords to their respective domains.
R3GeneralDesigns
R3GeneralDesigns Recent Posts
Threads Started
92 posts
  • Bought between 1 and 9 items
  • Exclusive Author
  • Has been a member for 2-3 years
  • Japan
  • Most Wanted Bounty Winner
  • Sold between 1 000 and 5 000 dollars
R3GeneralDesigns says

And this problems will increase while people continue using mobile phones and social networking…

3649 posts Community Moderator
  • Has been a member for 5-6 years
  • Contributed a Tutorial to a Tuts+ Site
  • Netherlands
  • Community Moderator
  • Microlancer Beta Tester
  • Sold between 10 000 and 50 000 dollars
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
  • Exclusive Author
+4 more
Joost Volunteer moderator says

And this problems will increase while people continue using mobile phones and social networking…

Mobile phones seem to have nothing to do with this leak, and other than provide a target, neither does social networking. ;) It seems to have been a serversided leak.

I do agree with you on the point that these attacks are ever increasing – more and more of our lifes take place online, making it more and more an area of interest for those with criminal intent.

6759 posts
  • Italy
  • Sold between 10 000 and 50 000 dollars
  • Has been a member for 4-5 years
  • Microlancer Beta Tester
  • Beta Tester
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
  • Exclusive Author
  • Author had a Free File of the Month
  • Bought between 10 and 49 items
+1 more
doru says

hope that military virus has nothing to do with this. If someone gets his hand on that then bye internet. Also last fm seem to have the same problems

by
by
by
by
by
by