LinkedIn confirms 'some' passwords leaked
- LinkedIn confirms 'some' passwords leaked
Security researcher says more than 6.5M passwords likely compromised
By _Jaikumar Vijayan_
June 6, 2012 05:15 PM ET
Computerworld - In response to widespread reports of a massive _data
(http://www.computerworld.com/s/article/9227816/Update_LinkedIn_probing_reports_of_massive_breach) at LinkedIn, the company Wednesday confirmed
that passwords belonging to "some" of its members have been compromised.
In a carefully worded _blog post_
(http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/) , LinkedIn director Vicente Silveira
said the company has confirmed that an unspecified number of hashed passwords
posted publicly on a Russian hacker forum earlier this week, "correspond to
Silveira made no mention of how the passwords may have ended up on the
forums but noted that LinkedIn is continuing to investigate.
"Members that have accounts associated with the compromised passwords will
notice that their LinkedIn account password is no longer valid," Silveria
Users of the social networking site for professionals will also receive an
email from LinkedIn with instructions on how to reset their passwords. The
email will not contain any links that users will need to click on to reset
their password, he noted. Affected customers will also receive a note from
LinkedIn with more information on what happened and why they are being
asked to reset their passwords, Silveira said.
Earlier Silveira had posted a separate note urging LinkedIn members to
change their passwords and providing them with tips on how to create strong
Silveira was responding to numerous reports earlier Wednesday that hackers
accessed close to 6.5 million hashed passwords from a LinkedIn database and
posted it publicly on a Russian hacker forum. According to _security_
(http://www.computerworld.com/s/topic/17/Security) researchers who had seen
the compromised data, more than 300,000 of the hashed passwords have already
been decrypted and posted online in clear text.
LinkedIn had earlier said it was looking into those reports but had not
confirmed the breach.
Tal Be'ery, security research leader at Imperva, claims to have seen the
stolen data and said much more than 6.5 million passwords might have been
According to Be'ery, the passwords that have been posted online appear to
be only those passwords that the hackers needed help in cracking. What the
breached password list is missing are the usual easy-to-guess passwords that
people commonly use to control access to online accounts, he said. The
LinkedIn password file does not contain any of the common passwords that
Imperva's researchers have typically run across when analyzing similar password
breaches, he said.
"Most likely, the hacker has figured out the easy passwords and needs help
with less common ones." So it's likely that only the more complicated
passwords have been revealed so far, he theorized.
The breached list shows that LinkedIn did not use best practices in
protecting the passwords, he said. The hashes that were used to mask the real
passwords were so-called unsalted SHA-1 hashes. SHA-1 is a hashing algorithm
that is used to protect passwords. Because SHA-1 isn't foolproof, security
experts have for some time recommended that organizations use a technique
called "salting" to make passwords harder to crack. With salting, an
application applies a random string of characters to a password before it is hashed.
The process ensures that even if two passwords are identical, their hashes
will be unique.
In an apparent response to the focus on the unsalted hashing issue,
Silveira noted that LinkedIn recently added enhanced security measures for salting
and hashing its password databases. Silveira's post does not indicate when
LinkedIn began the practice.
The compromise is a big deal for LinkedIn users, said John Pescatore, an
analyst with Gartner. "LinkedIn definitely had to have some kind of serious
security incident for this to happen. And they probably had lax security
policies or controls for a simple unsalted hash file like this to exist," he
One worrisome aspect of the breach is that it could enable more targeted
phishing attacks, he said. "LinkedIn is a great research site for hackers
creating targeted phishing attacks to go after system administrators, CFOs,
etc." he said. "If they had access to the non-public parts of people's
LinkedIn profiles we will see even better targeted phishing attacks."
(http://www.computerworld.com/s/author/241/Jaikumar+Vijayan) covers data security and privacy issues, financial services security
and e-voting for Computerworld. Follow Jaikumar on Twitter at
(http://twitter.com/jaivijayan) _@jaivijayan_ (http://twitter.com/jaivijayan) or
subscribe to _Jaikumar's RSS feed_
(http://rss.computerworld.com/computerworld/s/feed/keyword/JaikumarVijayan) . His e-mail address is
_jvijayan@..._ (mailto:jvijayan@...) .
[Non-text portions of this message have been removed]