1.11M Members

LinkedIn confirms six million password hack, check if yours is one of them

 
0
 

It's now official, account passwords for the popular business social network LinkedIn have been compromised.
Vicente Silveira, a director at LinkedIn, has confirmed that some of the passwords that were published online by a Russian hacking group "correspond to LinkedIn accounts". How many of the 161 million LinkedIn members have been impacted by this breach is as yet unknown, however it is likely to be a relatively small percentage as the published list of passwords is 'only' 6.5 million in number, even if LinkedIn passwords prove to be the vast majority if not all of them.

dweb-leakedin The list of compromised passwords was published in a file that contained the passwords in unsalted SHA-1 hashed form, and appeared online in a Russian based public forum. I am led to believe that at least a quarter of a million of these hashes have been cracked, and that number will inevitably increase as the cracking work continues. Although no associated account data such as usernames were published within the file, at this point in time it is unknown if the hackers have access to this information or not.

Silveira admits that the password hashes were unsalted when he says "it is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases".

It would appear that this exposed file has been put together as the result of a LinkedIn breach. Although this cannot be confirmed as of yet, the fact that LinkedIn appears in so many of the compromised passwords while no other social network name does (users often append numerical passwords with the name of the service it applies to, and LinkedIn has appeared many times so far in this list) leads me to believe this is a LinkedIn compromise.

If, as seems entirely possible, the hackers have username information then the business-centric nature of LinkedIn means that this could be a very serious compromise indeed. Stuart Coulson, cybersecurity expert and director of data centres at cloud specialist UKFast, warns that “This is really concerning for businesses as once hackers have usernames and passwords they can not only access the account, they can access any account with the same username and password. As many users have the same login details for LinkedIn, Facebook and even their work email, this hack has the potential to hand cybercriminals an open book of all of your personal, and potentially business, information.”

It's possible to run your own password through a SHA-1 hash generator and then compare this to the published file to see if it has been compromised. The easiest way to do this is to use a service such as LeakedIn which will do the hash generation and search for you. My 38 character randomised password was not leaked, however that has not stopped me from changing it immediately. I would advise all other LinkedIn users do the same. What's more, I would advise that they do so again once LinkedIn announces that whatever the security hole that allowed this compromise to take place was has been plugged. If your password was compromised or not, and you use the same password on mutliple sites, you should immediately change all your logins to use unique passwords.

Attachments
Member Avatar
Davey Winder

I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .

 
0
 

Before read your post i was unaware about this news that linkedin's password have been hacked however i try to login my account and it is same and nothing change there.

 
0
 

i read the same article from some other blogs , good to see the same post on this forum

 
0
 

Ouch, rather embarressing to say the least.
Salting passwords is one of the first things I learnt to do when beginning PHP for web development.

 
0
 

It's really bad to heared about this news. But now they anounced to change your passwords into safety mode. Now LinkedIn took a serious action regarding to this issues.

 
0
 

LinkedIn and others, should consider using non-decryptable encryption. http://bit.ly/KBvUdZ It only leaves the brute force option. But, the # of permutations and necessary tries are astronomical. The permutations make this encryption very different from a street algebraic approach. Which means, an infinitesimal chance of decryption. A much better way, IMHO. Theoretically & practically. Certainly better than the razz-majazz of hashing.

There are also the social issues of gov't & control. Non-decryptable encryption has been around since 1930s & one time key encryption. But, restricted to military use. In limited forms, it should be permitted for civilian use, IMHO.

 
0
 

Very informative post and thanks for sharing here i am not aware about this.

 
0
 

Good post and that is really shameful. Now i will check mine.....

 
0
 

what happed about those password that are hacked ,

 
0
 

What do you mean? The article explains what happened. Hopefully everyone has changed their LinkedIn password as a matter of course, whether theirs was 'leaked out' or not. As for LinkedIn itself, it has been implementing a long overdue change to salted hashes for member passwords.

 
0
 

Though I read this news somewhere else also but didn't get the chance to add my views..I am just wonder how the site owner can be so irresponsible...How can somebody will play with security...Now a days when everybody is running behind Social activities sites and spending their time at social activities and we are listening that our data is not safe...Its look very un-genuine

 
0
 

I check my linked in accont there as nothing changed, so is it a true article! or something wrong? I am goog as before. So what really happen? can somebody mention the original situation?

 
1
 

The situation has been explained fully in my piece. Yes it is a true article. Yes six million passwords were leaked. If yours is not amongst them, congratulations. However, just becuase 'nothing has changed' does not mean your password was not compromised and I would still recommend that you change it as a matter of course.

 
0
 

Now a days when everybody is running behind Social activities sites and spending their time at social activities and we are listening that our data is not safe...Its look very nice

 
0
 

Thanks for sharing such a informative post.further We must be concious for that.

 
0
 

To avoid the hacking, make sure that your PC be clean from virus. And always type the url manually. Don't click any urls through email (maybe this is phising)

 
0
 

Thanks for the valuable information. We must be concious for this type of things and should use latest and updated antivirus to protect our data from hackers.

concious

 
0
 

Thats really awful ... i think we should quit Linked inn .....

 
-1
 

Thanks for informing here.. I was not awared about this.

Isn't it about time forums rewarded their contributors?

Earn rewards points for helping others. Gain kudos. Cash out. Get better answers yourself.

It's as simple as contributing editorial or replying to discussions labeled or OP Kudos

You
This is an OP Kudos discussion and contributors may be rewarded
Post:
Start New Discussion
View similar articles that have also been tagged: