1,105,221 Community Members

LinkedIn confirms six million password hack, check if yours is one of them

Member Avatar
(happygeek)
Reputation Points: 1,411 [?]
Q&As Helped to Solve: 451 [?]
Skill Endorsements: 166 [?]
 
0
 

It's now official, account passwords for the popular business social network LinkedIn have been compromised.
Vicente Silveira, a director at LinkedIn, has confirmed that some of the passwords that were published online by a Russian hacking group "correspond to LinkedIn accounts". How many of the 161 million LinkedIn members have been impacted by this breach is as yet unknown, however it is likely to be a relatively small percentage as the published list of passwords is 'only' 6.5 million in number, even if LinkedIn passwords prove to be the vast majority if not all of them.

dweb-leakedin The list of compromised passwords was published in a file that contained the passwords in unsalted SHA-1 hashed form, and appeared online in a Russian based public forum. I am led to believe that at least a quarter of a million of these hashes have been cracked, and that number will inevitably increase as the cracking work continues. Although no associated account data such as usernames were published within the file, at this point in time it is unknown if the hackers have access to this information or not.

Silveira admits that the password hashes were unsalted when he says "it is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases".

It would appear that this exposed file has been put together as the result of a LinkedIn breach. Although this cannot be confirmed as of yet, the fact that LinkedIn appears in so many of the compromised passwords while no other social network name does (users often append numerical passwords with the name of the service it applies to, and LinkedIn has appeared many times so far in this list) leads me to believe this is a LinkedIn compromise.

If, as seems entirely possible, the hackers have username information then the business-centric nature of LinkedIn means that this could be a very serious compromise indeed. Stuart Coulson, cybersecurity expert and director of data centres at cloud specialist UKFast, warns that “This is really concerning for businesses as once hackers have usernames and passwords they can not only access the account, they can access any account with the same username and password. As many users have the same login details for LinkedIn, Facebook and even their work email, this hack has the potential to hand cybercriminals an open book of all of your personal, and potentially business, information.”

It's possible to run your own password through a SHA-1 hash generator and then compare this to the published file to see if it has been compromised. The easiest way to do this is to use a service such as LeakedIn which will do the hash generation and search for you. My 38 character randomised password was not leaked, however that has not stopped me from changing it immediately. I would advise all other LinkedIn users do the same. What's more, I would advise that they do so again once LinkedIn announces that whatever the security hole that allowed this compromise to take place was has been plugged. If your password was compromised or not, and you use the same password on mutliple sites, you should immediately change all your logins to use unique passwords.

Attachments
Member Avatar
Davey Winder

I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .

Member Avatar
JessicaJohn
Light Poster
32 posts since Aug 2011
Reputation Points: -3 [?]
Q&As Helped to Solve: 1 [?]
Skill Endorsements: 0 [?]
 
0
 

Before read your post i was unaware about this news that linkedin's password have been hacked however i try to login my account and it is same and nothing change there.

Member Avatar
matthew111
Newbie Poster
1 post since Jun 2012
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

i read the same article from some other blogs , good to see the same post on this forum

Member Avatar
Octet
Posting Pro
579 posts since Nov 2011
Reputation Points: 45 [?]
Q&As Helped to Solve: 53 [?]
Skill Endorsements: 16 [?]
Featured
Sponsor
 
0
 

Ouch, rather embarressing to say the least.
Salting passwords is one of the first things I learnt to do when beginning PHP for web development.

Member Avatar
Robert Jordan
Newbie Poster
1 post since Mar 2012
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

It's really bad to heared about this news. But now they anounced to change your passwords into safety mode. Now LinkedIn took a serious action regarding to this issues.

Member Avatar
givonz
Newbie Poster
1 post since Jun 2012
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

LinkedIn and others, should consider using non-decryptable encryption. http://bit.ly/KBvUdZ It only leaves the brute force option. But, the # of permutations and necessary tries are astronomical. The permutations make this encryption very different from a street algebraic approach. Which means, an infinitesimal chance of decryption. A much better way, IMHO. Theoretically & practically. Certainly better than the razz-majazz of hashing.

There are also the social issues of gov't & control. Non-decryptable encryption has been around since 1930s & one time key encryption. But, restricted to military use. In limited forms, it should be permitted for civilian use, IMHO.

Member Avatar
seowright
Newbie Poster
22 posts since Jun 2012
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Very informative post and thanks for sharing here i am not aware about this.

Member Avatar
GarryHillton
Light Poster
48 posts since Jul 2011
Reputation Points: -5 [?]
Q&As Helped to Solve: 1 [?]
Skill Endorsements: 0 [?]
 
0
 

Good post and that is really shameful. Now i will check mine.....

Member Avatar
willson1
Junior Poster in Training
93 posts since Apr 2012
Reputation Points: -4 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

what happed about those password that are hacked ,

Member Avatar
happygeek
veganarchist
9,511 posts since Mar 2006
Reputation Points: 1,411 [?]
Q&As Helped to Solve: 451 [?]
Skill Endorsements: 166 [?]
Administrator
Featured
 
0
 

What do you mean? The article explains what happened. Hopefully everyone has changed their LinkedIn password as a matter of course, whether theirs was 'leaked out' or not. As for LinkedIn itself, it has been implementing a long overdue change to salted hashes for member passwords.

Member Avatar
neo09
Light Poster
34 posts since Dec 2009
Reputation Points: 0 [?]
Q&As Helped to Solve: 4 [?]
Skill Endorsements: 0 [?]
 
0
 

Though I read this news somewhere else also but didn't get the chance to add my views..I am just wonder how the site owner can be so irresponsible...How can somebody will play with security...Now a days when everybody is running behind Social activities sites and spending their time at social activities and we are listening that our data is not safe...Its look very un-genuine

Member Avatar
Ahsan Kowshik
Newbie Poster
2 posts since Jul 2012
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

I check my linked in accont there as nothing changed, so is it a true article! or something wrong? I am goog as before. So what really happen? can somebody mention the original situation?

Member Avatar
happygeek
veganarchist
9,511 posts since Mar 2006
Reputation Points: 1,411 [?]
Q&As Helped to Solve: 451 [?]
Skill Endorsements: 166 [?]
Administrator
Featured
 
1
 

The situation has been explained fully in my piece. Yes it is a true article. Yes six million passwords were leaked. If yours is not amongst them, congratulations. However, just becuase 'nothing has changed' does not mean your password was not compromised and I would still recommend that you change it as a matter of course.

Member Avatar
stonebynature
Newbie Poster
7 posts since Jul 2012
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Now a days when everybody is running behind Social activities sites and spending their time at social activities and we are listening that our data is not safe...Its look very nice

Member Avatar
seema123
Newbie Poster
6 posts since Feb 2012
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Thanks for sharing such a informative post.further We must be concious for that.

Member Avatar
himanuzo
Newbie Poster
7 posts since Oct 2011
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

To avoid the hacking, make sure that your PC be clean from virus. And always type the url manually. Don't click any urls through email (maybe this is phising)

Member Avatar
seo.gurgaon.5
Newbie Poster
1 post since Jul 2012
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Thanks for the valuable information. We must be concious for this type of things and should use latest and updated antivirus to protect our data from hackers.

concious

Member Avatar
maria.methews
Newbie Poster
18 posts since Aug 2012
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Thats really awful ... i think we should quit Linked inn .....

Member Avatar
GarryHillton
Light Poster
48 posts since Jul 2011
Reputation Points: -5 [?]
Q&As Helped to Solve: 1 [?]
Skill Endorsements: 0 [?]
 
-1
 

Thanks for informing here.. I was not awared about this.

You
Post:
Start New Discussion
View similar articles that have also been tagged: