Attacks/Breaches
6/6/2012
11:47 AM
Connect Directly
RSS
E-Mail
50%
50%

LinkedIn Users: Change Password Now

Attackers appear to have obtained--and may have already decrypted--at least 6.5 million LinkedIn passwords.

All users of the LinkedIn social network should immediately change their password.

Security experts began broadcasting that warning Wednesday after reports emerged that nearly 6.5 million LinkedIn password hashes--encrypted using SHA1, but not salted--had been posted to a Russian hacking forum on Monday, together with a request to help decrypt them.

Hackers have already reported breaking 163,267 of the passwords, reported Norwegian news outlet Dagen IT, which Wednesday broke the news of the LinkedIn password breach.

LinkedIn confirmed that it's investigating the potential password breach. "Our team is currently looking into reports of stolen passwords. Stay tuned for more," read a Wednesday tweet from LinkedIn News.

[ Read about how hackers accessed a Romney Webmail account. See Romney Campaign Investigates Hotmail Account Hack. ]

What should LinkedIn users do? "First change your LinkedIn password. Then prepare for scam emails about Linkedin password changes, linking to phishing sites. Will happen," said Mikko Hypponen, chief research officer at F-Secure, via Twitter.

Security expert Per Thorsheim tweeted that he'd reviewed the uploaded password hashes and recovered at least 300,000 of them. "The number of [occurrences] of 'linkedin' in those passwords leave little doubt about the origin. Change password NOW!" Meanwhile, a post from the Security Ninja website's Twitter feed noted that "after getting the list of @linkedin hashes and hashing my old pwd with no salt there is a match for the hash in the list." Accordingly, it said that it was "best to assume the worst and change your password."

Evidently, LinkedIn didn't salt its passwords--a practice recommended by security experts that involves adding a unique string to each password before encrypting it. Had the passwords been salted, it would have made them more difficult for attackers to reverse the SHA1 password hashes. In fact, attackers may have already decrypted the passwords, and they may also have users' passwords and email addresses. "Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals," said Graham Cluley, senior technology consultant at Sophos, in a blog post.

The Computer Emergency Response Team of Finland (CERT-FI) Wednesday warned that many more than the 6,458,020 uploaded password hashes are likely to have been obtained by attackers. "Not all LinkedIn passwords have been published, but it is likely that an attacker is in possession of the rest of the passwords," it said.

According to LinkedIn, as of March 31, 2012, it had 161 million members.

CERT-FI also advised anyone who had reused their LinkedIn password on another site to immediately change it there as well, since it will be at risk of being hacked by anyone who downloads and reverses the uploaded LinkedIn password hashes.

More and more organizations are considering development of an in-house threat intelligence program, dedicating staff and other resources to deep inspection and correlation of network and application data and activity. In our Threat Intelligence: What You Really Need to Know report, we examine the drivers for implementing an in-house threat intelligence program, the issues around staffing and costs, and the tools necessary to do the job effectively. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GR8Day
50%
50%
GR8Day,
User Rank: Apprentice
6/7/2012 | 3:31:25 PM
re: LinkedIn Users: Change Password Now
I am surprised a social networks who is geared for the professional would not be more security conscious. I am a member and would like to see them take some steps to provide me with additional layers of protection for access to my account verification without unreasonable complexity. It would be great to see them just as some of the other leading companies in their respective verticals giving us the perfect balance between security and user experience by moving to the use of 2FA (two-factor authentication) mobile or other, as a form of a token where the user is asked to telesign into their account by entering a one-time PIN code which is delivered to your phone via SMS or voice. I wish really wish more organizations would start implementing 2FA.
Number 6
50%
50%
Number 6,
User Rank: Apprentice
6/6/2012 | 6:18:22 PM
re: LinkedIn Users: Change Password Now
Nice of LinkedIn to not mention this to their users when they sign on (so far).
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.