The passwords (without usernames) were leaked on a Russian forum in SHA-1 (hashed) format. After investigating the matter, LinkedIn confirmed that at least some of the passwords did correspond to LinkedIn user accounts. The company did not reveal exactly how many passwords were compromised, according to its own records.
“Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid. These members will also receive an e-mail from LinkedIn with instructions on how to reset their passwords,” said LinkedIn. “We sincerely apologise for the inconvenience this has caused our members. We take the security of our members very seriously.”
Shortly after the attack, reports also emerged of LinkedIn users receiving bogus e-mails featuring the LinkedIn logo, that actually contain malicious links that lead users into downloading malware that can be used to extract information for financial gain. Such e-mail scams have, however, been around for some time, so it remains unclear as to whether the latest e-mails are in fact connected to the password breach.
Regardless, it has not been a good week for LinkedIn, as news of the hack and subsequent phishing attacks follows security researchers finding that the LinkedIn mobile app was extracting and leaking users' calendar information to the network's servers without the users' knowledge.The hack has also exposed major vulnerabilities in the network's data security. According to reports, LinkedIn was not isolating users' credentials on separate secure machines, and did not “salt” passwords before encoding. Salting involves adding random characters to passwords before being cryptographically hashed – making it difficult to reconstruct the original password.
Senior security advisor at Sophos, Chester Wisniewski, says, after removing duplicate hashes, SophosLabs determined there were 5.8 million unique password hashes in the dump. According to the company's findings, 3.5 million of those password hashes have been “brute forced” – meaning that over 60% of the stolen hashes are now publicly known.
Wisniewski says salting is an important factor in slowing down people trying to brute force passwords. “It means that password lists cannot be pre-computed based on dictionary attacks or similar techniques. It buys time and unfortunately the hashes published from LinkedIn did not contain a salt.”
Many of the passwords Sophos found in the dump showed that people should have known better. Such passwords included “linkedin”, “linkedinpassword”, “p455w0rd” and even “sophos”, “mcafee”, “Symantec”, “kaspersky”, “Microsoft” and “f-secure”.
Following the hack, LinkedIn said it has started hashing and salting its current password databases.
Analyst for the Gartner IT1 security and risk management strategies team, Ramon Krikken, says that salting alone is not enough. “In order to create resistance against password attacks, given the possibility of weak passwords, the algorithm should use two additional barriers: so-called salts for hashing, which preclude the use of pre-computed hash tables, and iteration, which applies the cryptographic function as often as possible within performance and latency requirements in order to slow down the brute force attack.
“I should also add that, because of practical limits on how many iterations you use, a truly weak password cannot be protected by hashing. 12345 is still a definite no-no.”
Reports have also emerged that the same hacker responsible for the LinkedIn attack, has compromised 1.5 million passwords from online dating site eHarmony.
“After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected. We are continuing to investigate but would like to provide the following actions we are taking to protect our members. As a precaution, we have reset affected members' passwords,” says eHarmony.
LinkedIn users wanting to check if their password has been compromised can use a tool developed by password management firm LastPass.
“The tool asks you to enter your LinkedIn password, and then computes its SHA-1 hash and sends the result to LastPass.com to search the list of 6.5 million leaked password hashes,” says LastPass, adding that only the hash of the password is sent to its servers and that it will not be stored.
Security researcher for ESET, Cameron Camp, says it is a good time for LinkedIn users to change all of their social media passwords – creating a unique password for each service. “It is not unusual for malicious parties who grab a bunch of passwords from one site to try those same passwords on other sites.
“The difference with this hack, as opposed to many others, is that people put their real information about themselves – their professional information – on the site, not just what party they plan on attending, or which games they are playing, which you might see on other networks like Facebook.
“In other words, mess with somebody's professional profile on LinkedIn, and you're messing with their life, and their contacts know about it.”
Our comments policy does not allow anonymous postings. Read the policy here