LinkedIn confirms six million password hack, check if yours is one of them

Updated happygeek 0 Tallied Votes 1K Views Share

It's now official, account passwords for the popular business social network LinkedIn have been compromised.
Vicente Silveira, a director at LinkedIn, has confirmed that some of the passwords that were published online by a Russian hacking group "correspond to LinkedIn accounts". How many of the 161 million LinkedIn members have been impacted by this breach is as yet unknown, however it is likely to be a relatively small percentage as the published list of passwords is 'only' 6.5 million in number, even if LinkedIn passwords prove to be the vast majority if not all of them.

dweb-leakedin The list of compromised passwords was published in a file that contained the passwords in unsalted SHA-1 hashed form, and appeared online in a Russian based public forum. I am led to believe that at least a quarter of a million of these hashes have been cracked, and that number will inevitably increase as the cracking work continues. Although no associated account data such as usernames were published within the file, at this point in time it is unknown if the hackers have access to this information or not.

Silveira admits that the password hashes were unsalted when he says "it is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases".

It would appear that this exposed file has been put together as the result of a LinkedIn breach. Although this cannot be confirmed as of yet, the fact that LinkedIn appears in so many of the compromised passwords while no other social network name does (users often append numerical passwords with the name of the service it applies to, and LinkedIn has appeared many times so far in this list) leads me to believe this is a LinkedIn compromise.

If, as seems entirely possible, the hackers have username information then the business-centric nature of LinkedIn means that this could be a very serious compromise indeed. Stuart Coulson, cybersecurity expert and director of data centres at cloud specialist UKFast, warns that “This is really concerning for businesses as once hackers have usernames and passwords they can not only access the account, they can access any account with the same username and password. As many users have the same login details for LinkedIn, Facebook and even their work email, this hack has the potential to hand cybercriminals an open book of all of your personal, and potentially business, information.”

It's possible to run your own password through a SHA-1 hash generator and then compare this to the published file to see if it has been compromised. The easiest way to do this is to use a service such as LeakedIn which will do the hash generation and search for you. My 38 character randomised password was not leaked, however that has not stopped me from changing it immediately. I would advise all other LinkedIn users do the same. What's more, I would advise that they do so again once LinkedIn announces that whatever the security hole that allowed this compromise to take place was has been plugged. If your password was compromised or not, and you use the same password on mutliple sites, you should immediately change all your logins to use unique passwords.

JessicaJohn -3 Newbie Poster

Before read your post i was unaware about this news that linkedin's password have been hacked however i try to login my account and it is same and nothing change there.

matthew111 0 Newbie Poster

i read the same article from some other blogs , good to see the same post on this forum

Octet 45 Newbie Poster Featured Poster

Ouch, rather embarressing to say the least.
Salting passwords is one of the first things I learnt to do when beginning PHP for web development.

Robert Jordan 0 Newbie Poster

It's really bad to heared about this news. But now they anounced to change your passwords into safety mode. Now LinkedIn took a serious action regarding to this issues.

givonz 0 Newbie Poster

LinkedIn and others, should consider using non-decryptable encryption. http://bit.ly/KBvUdZ It only leaves the brute force option. But, the # of permutations and necessary tries are astronomical. The permutations make this encryption very different from a street algebraic approach. Which means, an infinitesimal chance of decryption. A much better way, IMHO. Theoretically & practically. Certainly better than the razz-majazz of hashing.

There are also the social issues of gov't & control. Non-decryptable encryption has been around since 1930s & one time key encryption. But, restricted to military use. In limited forms, it should be permitted for civilian use, IMHO.

seowright 0 Newbie Poster

Very informative post and thanks for sharing here i am not aware about this.

GarryHillton -5 Newbie Poster

Good post and that is really shameful. Now i will check mine.....

willson1 -4 Junior Poster in Training

what happed about those password that are hacked ,

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

What do you mean? The article explains what happened. Hopefully everyone has changed their LinkedIn password as a matter of course, whether theirs was 'leaked out' or not. As for LinkedIn itself, it has been implementing a long overdue change to salted hashes for member passwords.

neo09 0 Newbie Poster

Though I read this news somewhere else also but didn't get the chance to add my views..I am just wonder how the site owner can be so irresponsible...How can somebody will play with security...Now a days when everybody is running behind Social activities sites and spending their time at social activities and we are listening that our data is not safe...Its look very un-genuine

Ahsan Kowshik 0 Newbie Poster

I check my linked in accont there as nothing changed, so is it a true article! or something wrong? I am goog as before. So what really happen? can somebody mention the original situation?

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

The situation has been explained fully in my piece. Yes it is a true article. Yes six million passwords were leaked. If yours is not amongst them, congratulations. However, just becuase 'nothing has changed' does not mean your password was not compromised and I would still recommend that you change it as a matter of course.

stonebynature commented: very nice +0
stonebynature 0 Newbie Poster

Now a days when everybody is running behind Social activities sites and spending their time at social activities and we are listening that our data is not safe...Its look very nice

seema123 0 Newbie Poster

Thanks for sharing such a informative post.further We must be concious for that.

himanuzo 0 Newbie Poster

To avoid the hacking, make sure that your PC be clean from virus. And always type the url manually. Don't click any urls through email (maybe this is phising)

seo.gurgaon.5 0 Newbie Poster

Thanks for the valuable information. We must be concious for this type of things and should use latest and updated antivirus to protect our data from hackers.

concious

maria.methews 0 Newbie Poster

Thats really awful ... i think we should quit Linked inn .....

GarryHillton -5 Newbie Poster

Thanks for informing here.. I was not awared about this.

happygeek commented: really? even though you posted a comment to this very story a month ago, you didn't know about again now? that's a bad memory you have, although you remembered to include your advertising links in your signature I see... -2
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.