It's now official, account passwords for the popular business social network LinkedIn have been compromised.
Vicente Silveira, a director at LinkedIn, has confirmed that some of the passwords that were published online by a Russian hacking group "correspond to LinkedIn accounts". How many of the 161 million LinkedIn members have been impacted by this breach is as yet unknown, however it is likely to be a relatively small percentage as the published list of passwords is 'only' 6.5 million in number, even if LinkedIn passwords prove to be the vast majority if not all of them.
The list of compromised passwords was published in a file that contained the passwords in unsalted SHA-1 hashed form, and appeared online in a Russian based public forum. I am led to believe that at least a quarter of a million of these hashes have been cracked, and that number will inevitably increase as the cracking work continues. Although no associated account data such as usernames were published within the file, at this point in time it is unknown if the hackers have access to this information or not.
Silveira admits that the password hashes were unsalted when he says "it is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases".
It would appear that this exposed file has been put together as the result of a LinkedIn breach. Although this cannot be confirmed as of yet, the fact that LinkedIn appears in so many of the compromised passwords while no other social network name does (users often append numerical passwords with the name of the service it applies to, and LinkedIn has appeared many times so far in this list) leads me to believe this is a LinkedIn compromise.
If, as seems entirely possible, the hackers have username information then the business-centric nature of LinkedIn means that this could be a very serious compromise indeed. Stuart Coulson, cybersecurity expert and director of data centres at cloud specialist UKFast, warns that “This is really concerning for businesses as once hackers have usernames and passwords they can not only access the account, they can access any account with the same username and password. As many users have the same login details for LinkedIn, Facebook and even their work email, this hack has the potential to hand cybercriminals an open book of all of your personal, and potentially business, information.”
It's possible to run your own password through a SHA-1 hash generator and then compare this to the published file to see if it has been compromised. The easiest way to do this is to use a service such as LeakedIn which will do the hash generation and search for you. My 38 character randomised password was not leaked, however that has not stopped me from changing it immediately. I would advise all other LinkedIn users do the same. What's more, I would advise that they do so again once LinkedIn announces that whatever the security hole that allowed this compromise to take place was has been plugged. If your password was compromised or not, and you use the same password on mutliple sites, you should immediately change all your logins to use unique passwords.
I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .
LinkedIn and others, should consider using non-decryptable encryption. http://bit.ly/KBvUdZ It only leaves the brute force option. But, the # of permutations and necessary tries are astronomical. The permutations make this encryption very different from a street algebraic approach. Which means, an infinitesimal chance of decryption. A much better way, IMHO. Theoretically & practically. Certainly better than the razz-majazz of hashing.
There are also the social issues of gov't & control. Non-decryptable encryption has been around since 1930s & one time key encryption. But, restricted to military use. In limited forms, it should be permitted for civilian use, IMHO.
What do you mean? The article explains what happened. Hopefully everyone has changed their LinkedIn password as a matter of course, whether theirs was 'leaked out' or not. As for LinkedIn itself, it has been implementing a long overdue change to salted hashes for member passwords.
Though I read this news somewhere else also but didn't get the chance to add my views..I am just wonder how the site owner can be so irresponsible...How can somebody will play with security...Now a days when everybody is running behind Social activities sites and spending their time at social activities and we are listening that our data is not safe...Its look very un-genuine
The situation has been explained fully in my piece. Yes it is a true article. Yes six million passwords were leaked. If yours is not amongst them, congratulations. However, just becuase 'nothing has changed' does not mean your password was not compromised and I would still recommend that you change it as a matter of course.