Attacks/Breaches
6/7/2012
11:39 AM
Connect Directly
RSS
E-Mail
50%
50%

LinkedIn Confirms Password Breach, Phishing Intensifies

First your work life, now your love life? Hacker who stole at least 6.5 million LinkedIn passwords this week also uploaded 1.5 million password hashes from dating site eHarmony to a Russian hacking forum.

LinkedIn confirmed Wednesday that it's investigating the apparent breach of its password databases after an attacker uploaded a list of 6.5 million encrypted LinkedIn passwords to a Russian hacking forum earlier this week.

"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts," wrote LinkedIn director Vicente Silveira in a blog post. "We are continuing to investigate this situation."

Security experts have advised all LinkedIn users to change their password immediately. To stay current with the investigation, meanwhile, a spokesman said via email that in addition to updating the company's blog, "we're also posting updates on Twitter @LinkedInNews, @LinkedInIndia, and @LinkedIn."

"We sincerely apologize for the inconvenience this has caused our members," Silveira said, noting that LinkedIn would be instituting a number of security changes. Already, LinkedIn has disabled all passwords that were known to be divulged on an online forum. Anyone known to be affected by the breach will also receive an email from LinkedIn's customer support team. Finally, all LinkedIn members will receive instructions for changing their password on the site, though Silveira emphasized that "there will not be any links in this email."

[ For more on the LinkedIn password breach, see LinkedIn Users: Change Password Now. ]

That caveat is crucial, owing to a wave of phishing emails--many advertising pharmaceutical wares--that have been circulating in recent days. Some of these emails sport subject lines such as "Urgent LinkedIn Mail" and "Please confirm your email address," and some messages also include links that read, "Click here to confirm your email address," that open spam websites.

These phishing emails probably have nothing to do with the hacker who compromised one or more LinkedIn password databases. Instead, the LinkedIn breach is more likely an attempt by other criminals to take advantage of people's worries about the breach in hopes that they'll click on fake "Change your LinkedIn password" links that will serve them with spam.

In related password-breach news, dating website eHarmony Wednesday confirmed that some of its members' passwords had also been obtained by an attacker, after the passwords were uploaded to password-cracking forums at the InsidePro website. Notably, the same user--"dwdm"--appears to have uploaded both the eHarmony and LinkedIn passwords in several batches, beginning Sunday. Some of those posts have since been deleted.

"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected," said eHarmony spokeswoman Becky Teraoka on the site's advice blog. Security experts have said about 1.5 million eHarmony passwords appear to have been uploaded.

Teraoka said all affected members' passwords had been reset and that members would receive an email with password-change instructions. But she didn't discuss whether eHarmony had deduced which members were affected based on a digital forensic investigation--identifying how attackers had gained access, and then determining what had been stolen. An eHarmony spokesman didn't immediately respond to a request for comment about whether the company has conducted such an investigation.

As with LinkedIn, however, given the small amount of time since the breach was discovered, eHarmony's list of "affected members" is probably based only on a review of passwords that have appeared in public forums, and is thus incomplete. Out of caution, accordingly, all eHarmony users should change their passwords.

According to security experts, a majority of the hashed LinkedIn passwords uploaded earlier this week to the Russian hacking forum have already been cracked by security researchers. "After removing duplicate hashes, SophosLabs has determined there are 5.8 million unique password hashes in the dump, of which 3.5 million have already been brute-forced. That means over 60% of the stolen hashes are now publicly known," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. Of course, attackers already had a head start on the brute-force decryption, which means that all of the passwords may have now been recovered.

Rob Rachwald, director of security strategy at Imperva, suspects that many more than 6.5 million LinkedIn accounts have been compromised, because the uploaded list of passwords that have been released is missing 'easy' passwords such as 123456, he wrote in a blog post. Evidently, the attacker already decrypted the weak passwords, and sought help only to deal with more complex ones.

Another sign that the password list was edited down is that it contains only unique passwords. "In other words, the list doesn't reveal how many times a password was used by the consumers," said Rachwald. But common passwords tend to be used quite frequently, he said, noting that in the hack of 32 million RockYou passwords, 20% of all users--6.4 million people--chose one of just 5,000 passwords.

Responding to criticism over its failure to salt passwords--though the passwords were encrypted using SHA1--LinkedIn also said that its password databases will now be salted and hashed before being encrypted. Salting refers to the process of adding a unique string to each password before encrypting it, and it's key for preventing attackers from using rainbow tables to compromise large numbers of passwords at once. "This is an important factor in slowing down people trying to brute-force passwords. It buys time, and unfortunately the hashes published from LinkedIn did not contain a salt," said Wisniewski at Sophos Canada.

Wisniewski also said it remains to be seen just how severe the extent of the LinkedIn breach will be. "It is critical that LinkedIn investigate this to determine if email addresses and other information was also taken by the thieves, which could put the victims at additional risk from this attack."

More and more organizations are considering development of an in-house threat intelligence program, dedicating staff and other resources to deep inspection and correlation of network and application data and activity. In our Threat Intelligence: What You Really Need to Know report, we examine the drivers for implementing an in-house threat intelligence program, the issues around staffing and costs, and the tools necessary to do the job effectively. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/10/2012 | 11:31:02 PM
re: LinkedIn Confirms Password Breach, Phishing Intensifies
"But common passwords tend to be used quite frequently, he said, noting that in the hack of 32 million RockYou passwords, 20% of all users--6.4 million people--chose one of just 5,000 passwords." Not surprising. @ readers: Is it time for more sites and services to utilize two-factor authentication?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.