Lynda.com database breached

[mackncheesiest]

58 minutes ago, Bleedingyamato said:

What does salted and hashed mean?

A hash-function is basically just a way of taking something that could be arbitrarily sized and mapping it down to a fixed range. One example would be something like f(x) = x mod 10. That function takes any number you give it, and it maps it to a number between 0 and 9.

 

A cryptographic hash-function has a similar principle except it has the added stipulation that it needs to behave as if it's a one way function. The basic idea is you construct your f(x) in a way so that if I give you f(a), it is incredibly difficult to reverse that to figure out what "a" was (or even something that maps to the same f(a); see f(9) and f(19) in the original mod 10 example). Some examples of cryptographic hash functions are things like the SHA (Secure Hash Algorithm) family of functions (SHA-1, SHA-256, ...)

 

So websites, instead of storing the user's passwords, store hashes of the passwords. That way, to verify the user, they just check that when they hash the password (i.e. compute f(password)) it matches what they have on file. Now, it doesn't help to have the passwords stored as hashed values if the original password they used was rubbish; if you use the password "password", all an attacker needs to do is guess that someone might use "password", and they'll go "oh, this hashed value matches with 1000 entries from this database leak. Therefore, I know that all of these people used 'password' as their password" (or some password such that f(other_password) = f(password), but one of the key features of crypto hash functions is that this is incredibly unlikely).

 

Salting is a way to somewhat mitigate this by taking whatever the user gave as their password and appending a randomly generated value to it that gets tied to a specific user account. So, say a user gives a password "password" and the website comes up with the salt "5x23hgg". Then, they store the hashed value of the two concatenated together f(password||5x23hgg) and thus even if all 1000 of those people used "password" as their password, their hashes will be different.

 

As with anything in security, there are about 50 different rabbit holes you can go down at this point, but I think this hopefully gives an overview that's both succinct and not too off base.

[ApolloFury]

I'm using Lynda for free since my university partnered with them

You can download any videos you needed as a .mp4 and it will be yours forever which is neat.

 

We students sign in using a custom portal provided by Lynda and the university so we never received this email. Not sure if we are still affected though.

[Bouzoo]

12 minutes ago, ApolloFury said:

We students sign in using a custom portal provided by Lynda and the university so we never received this email. Not sure if we are still affected though.

I'm gonna guess that your Uni got the mail instead of you. 

[Xsilent(X)]

i would change my visa and or paypal mastercard password just to play it safe.

[afklinus]

On 12/18/2016 at 4:21 AM, huilun02 said:

Not cool now everyone will know I'm an expert at anal

Wow you really can learn lots of stuff on lynda.com? Do they have real instructors for that class? You know for science.

[vorticalbox]

6 hours ago, mackncheesiest said:

-snip

 

In PHP, you can use the password_hash which will auto add salt. This is just to add visually to your post which is perfect by the way

 

echo password_hash("password", PASSWORD_DEFAULT)."\n";
echo password_hash("password", PASSWORD_DEFAULT)."\n";

will output

$2y$10$7XBC8QUanz8jAbtedDqW6eHIB1mJo9wLTPL8AHPKfU.HrY4YwiMdC
$2y$10$dWoyqCIhrhsQvj//bKsMQ.Cig.572auZjyY6Fpvcd1ImZA1ddIj2i

And it will be different every time as the salt is randomly generated.

[Bleedingyamato]

7 hours ago, mackncheesiest said:

Snip

Thank you for the detailed explanation.  I'm not sure I understand everything in it but enough to get a better idea of what that stuff is.  

 

Btw is the bird in your profile picture the one from "Toradora!"?

 

[SansVarnic]

Yeah I got my email about this as well.  

[Zoravar]

Quote

...that included some of your Lynda.com learning data, such as contact information....

 

Quote

...Please know that he have no evidence that this data included your password....

Translated to:  "We only lost your contact information that likely holds some level of value and is really damn difficult to change depending on what contact info it was.  But don't worry; your password that is unique to the site and can be easily changed is fine."  

 

I think they may have phrased that letter poorly.  That or they have misplaced their priorities.  

 

Edit:  Thinking about this more, it makes it sound like they're not putting the same level of protection on personal information as they are passwords.  With the amount of large data breaches happening involving personal information as well as the resulting fallout, you would think that companies would start putting more effort and resources into protecting personal information.  WHY WON'T THEY LEARN! 

 

Edit Cont.:  I know the edit may have sounded rather cynical.  However, I've had much more sensitive information than contact info lost in a big name breach a few years ago.   A few years later and I'm still seeing breach after breach in the news.  It just makes me a little angry every time I see it because it's a little bit of a sour point for me.  I also understand that security is a moving target, so I give them a little bit of sympathy in that respect, but still find a breach of personal information to be inexcusable regardless.    

Edited December 20, 2016 by Zoravar

[mackncheesiest]

7 hours ago, Bleedingyamato said:

Btw is the bird in your profile picture the one from "Toradora!"?

Yeah, it is haha. I chose it a few years back as something to use on various forums/online profiles and such and just kind of stuck with it.

[mrchow19910319]

On 12/19/2016 at 8:37 AM, TidaLWaveZ said:

Russians. Did anyone say Russians yet?

[Bleedingyamato]

16 hours ago, mackncheesiest said:

Yeah, it is haha. I chose it a few years back as something to use on various forums/online profiles and such and just kind of stuck with it.

I love that series.  I wish there was more of it.