Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

LinkedIn Confirms Password Breach, Phishing Intensifies

First your work life, now your love life? Hacker who stole at least 6.5 million LinkedIn passwords this week also uploaded 1.5 million password hashes from dating site eHarmony to a Russian hacking forum.

LinkedIn confirmed Wednesday that it's investigating the apparent breach of its password databases after an attacker uploaded a list of 6.5 million encrypted LinkedIn passwords to a Russian hacking forum earlier this week.

"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts," wrote LinkedIn director Vicente Silveira in a blog post. "We are continuing to investigate this situation."

Security experts have advised all LinkedIn users to change their password immediately. To stay current with the investigation, meanwhile, a spokesman said via email that in addition to updating the company's blog, "we're also posting updates on Twitter @LinkedInNews, @LinkedInIndia, and @LinkedIn."

"We sincerely apologize for the inconvenience this has caused our members," Silveira said, noting that LinkedIn would be instituting a number of security changes. Already, LinkedIn has disabled all passwords that were known to be divulged on an online forum. Anyone known to be affected by the breach will also receive an email from LinkedIn's customer support team. Finally, all LinkedIn members will receive instructions for changing their password on the site, though Silveira emphasized that "there will not be any links in this email."

[ For more on the LinkedIn password breach, see LinkedIn Users: Change Password Now. ]

That caveat is crucial, owing to a wave of phishing emails--many advertising pharmaceutical wares--that have been circulating in recent days. Some of these emails sport subject lines such as "Urgent LinkedIn Mail" and "Please confirm your email address," and some messages also include links that read, "Click here to confirm your email address," that open spam websites.

These phishing emails probably have nothing to do with the hacker who compromised one or more LinkedIn password databases. Instead, the LinkedIn breach is more likely an attempt by other criminals to take advantage of people's worries about the breach in hopes that they'll click on fake "Change your LinkedIn password" links that will serve them with spam.

In related password-breach news, dating website eHarmony Wednesday confirmed that some of its members' passwords had also been obtained by an attacker, after the passwords were uploaded to password-cracking forums at the InsidePro website. Notably, the same user--"dwdm"--appears to have uploaded both the eHarmony and LinkedIn passwords in several batches, beginning Sunday. Some of those posts have since been deleted.

"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected," said eHarmony spokeswoman Becky Teraoka on the site's advice blog. Security experts have said about 1.5 million eHarmony passwords appear to have been uploaded.

Teraoka said all affected members' passwords had been reset and that members would receive an email with password-change instructions. But she didn't discuss whether eHarmony had deduced which members were affected based on a digital forensic investigation--identifying how attackers had gained access, and then determining what had been stolen. An eHarmony spokesman didn't immediately respond to a request for comment about whether the company has conducted such an investigation.

As with LinkedIn, however, given the small amount of time since the breach was discovered, eHarmony's list of "affected members" is probably based only on a review of passwords that have appeared in public forums, and is thus incomplete. Out of caution, accordingly, all eHarmony users should change their passwords.

According to security experts, a majority of the hashed LinkedIn passwords uploaded earlier this week to the Russian hacking forum have already been cracked by security researchers. "After removing duplicate hashes, SophosLabs has determined there are 5.8 million unique password hashes in the dump, of which 3.5 million have already been brute-forced. That means over 60% of the stolen hashes are now publicly known," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. Of course, attackers already had a head start on the brute-force decryption, which means that all of the passwords may have now been recovered.

Rob Rachwald, director of security strategy at Imperva, suspects that many more than 6.5 million LinkedIn accounts have been compromised, because the uploaded list of passwords that have been released is missing 'easy' passwords such as 123456, he wrote in a blog post. Evidently, the attacker already decrypted the weak passwords, and sought help only to deal with more complex ones.

Another sign that the password list was edited down is that it contains only unique passwords. "In other words, the list doesn't reveal how many times a password was used by the consumers," said Rachwald. But common passwords tend to be used quite frequently, he said, noting that in the hack of 32 million RockYou passwords, 20% of all users--6.4 million people--chose one of just 5,000 passwords.

Responding to criticism over its failure to salt passwords--though the passwords were encrypted using SHA1--LinkedIn also said that its password databases will now be salted and hashed before being encrypted. Salting refers to the process of adding a unique string to each password before encrypting it, and it's key for preventing attackers from using rainbow tables to compromise large numbers of passwords at once. "This is an important factor in slowing down people trying to brute-force passwords. It buys time, and unfortunately the hashes published from LinkedIn did not contain a salt," said Wisniewski at Sophos Canada.

Wisniewski also said it remains to be seen just how severe the extent of the LinkedIn breach will be. "It is critical that LinkedIn investigate this to determine if email addresses and other information was also taken by the thieves, which could put the victims at additional risk from this attack."

More and more organizations are considering development of an in-house threat intelligence program, dedicating staff and other resources to deep inspection and correlation of network and application data and activity. In our Threat Intelligence: What You Really Need to Know report, we examine the drivers for implementing an in-house threat intelligence program, the issues around staffing and costs, and the tools necessary to do the job effectively. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/10/2012 | 11:31:02 PM
re: LinkedIn Confirms Password Breach, Phishing Intensifies
"But common passwords tend to be used quite frequently, he said, noting that in the hack of 32 million RockYou passwords, 20% of all users--6.4 million people--chose one of just 5,000 passwords." Not surprising. @ readers: Is it time for more sites and services to utilize two-factor authentication?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13157
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...