Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

LinkedIn Confirms Password Breach, Phishing Intensifies

First your work life, now your love life? Hacker who stole at least 6.5 million LinkedIn passwords this week also uploaded 1.5 million password hashes from dating site eHarmony to a Russian hacking forum.

LinkedIn confirmed Wednesday that it's investigating the apparent breach of its password databases after an attacker uploaded a list of 6.5 million encrypted LinkedIn passwords to a Russian hacking forum earlier this week.

"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts," wrote LinkedIn director Vicente Silveira in a blog post. "We are continuing to investigate this situation."

Security experts have advised all LinkedIn users to change their password immediately. To stay current with the investigation, meanwhile, a spokesman said via email that in addition to updating the company's blog, "we're also posting updates on Twitter @LinkedInNews, @LinkedInIndia, and @LinkedIn."

"We sincerely apologize for the inconvenience this has caused our members," Silveira said, noting that LinkedIn would be instituting a number of security changes. Already, LinkedIn has disabled all passwords that were known to be divulged on an online forum. Anyone known to be affected by the breach will also receive an email from LinkedIn's customer support team. Finally, all LinkedIn members will receive instructions for changing their password on the site, though Silveira emphasized that "there will not be any links in this email."

[ For more on the LinkedIn password breach, see LinkedIn Users: Change Password Now. ]

That caveat is crucial, owing to a wave of phishing emails--many advertising pharmaceutical wares--that have been circulating in recent days. Some of these emails sport subject lines such as "Urgent LinkedIn Mail" and "Please confirm your email address," and some messages also include links that read, "Click here to confirm your email address," that open spam websites.

These phishing emails probably have nothing to do with the hacker who compromised one or more LinkedIn password databases. Instead, the LinkedIn breach is more likely an attempt by other criminals to take advantage of people's worries about the breach in hopes that they'll click on fake "Change your LinkedIn password" links that will serve them with spam.

In related password-breach news, dating website eHarmony Wednesday confirmed that some of its members' passwords had also been obtained by an attacker, after the passwords were uploaded to password-cracking forums at the InsidePro website. Notably, the same user--"dwdm"--appears to have uploaded both the eHarmony and LinkedIn passwords in several batches, beginning Sunday. Some of those posts have since been deleted.

"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected," said eHarmony spokeswoman Becky Teraoka on the site's advice blog. Security experts have said about 1.5 million eHarmony passwords appear to have been uploaded.

Teraoka said all affected members' passwords had been reset and that members would receive an email with password-change instructions. But she didn't discuss whether eHarmony had deduced which members were affected based on a digital forensic investigation--identifying how attackers had gained access, and then determining what had been stolen. An eHarmony spokesman didn't immediately respond to a request for comment about whether the company has conducted such an investigation.

As with LinkedIn, however, given the small amount of time since the breach was discovered, eHarmony's list of "affected members" is probably based only on a review of passwords that have appeared in public forums, and is thus incomplete. Out of caution, accordingly, all eHarmony users should change their passwords.

According to security experts, a majority of the hashed LinkedIn passwords uploaded earlier this week to the Russian hacking forum have already been cracked by security researchers. "After removing duplicate hashes, SophosLabs has determined there are 5.8 million unique password hashes in the dump, of which 3.5 million have already been brute-forced. That means over 60% of the stolen hashes are now publicly known," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. Of course, attackers already had a head start on the brute-force decryption, which means that all of the passwords may have now been recovered.

Rob Rachwald, director of security strategy at Imperva, suspects that many more than 6.5 million LinkedIn accounts have been compromised, because the uploaded list of passwords that have been released is missing 'easy' passwords such as 123456, he wrote in a blog post. Evidently, the attacker already decrypted the weak passwords, and sought help only to deal with more complex ones.

Another sign that the password list was edited down is that it contains only unique passwords. "In other words, the list doesn't reveal how many times a password was used by the consumers," said Rachwald. But common passwords tend to be used quite frequently, he said, noting that in the hack of 32 million RockYou passwords, 20% of all users--6.4 million people--chose one of just 5,000 passwords.

Responding to criticism over its failure to salt passwords--though the passwords were encrypted using SHA1--LinkedIn also said that its password databases will now be salted and hashed before being encrypted. Salting refers to the process of adding a unique string to each password before encrypting it, and it's key for preventing attackers from using rainbow tables to compromise large numbers of passwords at once. "This is an important factor in slowing down people trying to brute-force passwords. It buys time, and unfortunately the hashes published from LinkedIn did not contain a salt," said Wisniewski at Sophos Canada.

Wisniewski also said it remains to be seen just how severe the extent of the LinkedIn breach will be. "It is critical that LinkedIn investigate this to determine if email addresses and other information was also taken by the thieves, which could put the victims at additional risk from this attack."

More and more organizations are considering development of an in-house threat intelligence program, dedicating staff and other resources to deep inspection and correlation of network and application data and activity. In our Threat Intelligence: What You Really Need to Know report, we examine the drivers for implementing an in-house threat intelligence program, the issues around staffing and costs, and the tools necessary to do the job effectively. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/10/2012 | 11:31:02 PM
re: LinkedIn Confirms Password Breach, Phishing Intensifies
"But common passwords tend to be used quite frequently, he said, noting that in the hack of 32 million RockYou passwords, 20% of all users--6.4 million people--chose one of just 5,000 passwords." Not surprising. @ readers: Is it time for more sites and services to utilize two-factor authentication?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36124
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators).
CVE-2020-36125
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control where password revalidation in sensitive operations can be bypassed remotely by an authenticated attacker through requesting the endpoint directly.
CVE-2020-36126
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control that can lead to remote privilege escalation. PAXSTORE marketplace endpoints allow an authenticated user to read and write data not owned by them, including third-party users, application and payment term...
CVE-2020-36127
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by an information disclosure vulnerability. Through the PUK signature functionality, an administrator will not have access to the current p12 certificate and password. When accessing this functionality, the administrator has the opt...
CVE-2020-36128
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by a token spoofing vulnerability. Each payment terminal has a session token (called X-Terminal-Token) to access the marketplace. This allows the store to identify the terminal and make available the applications distributed by its ...