Loading ...
Sorry, an error occurred while loading the content.

LinkedIn confirms 'some' passwords leaked

Expand Messages
  • suesarkis@aol.com
    LinkedIn confirms some passwords leaked Security researcher says more than 6.5M passwords likely compromised By _Jaikumar Vijayan_
    Message 1 of 1 , Jun 6, 2012
    • 0 Attachment
      LinkedIn confirms 'some' passwords leaked
      Security researcher says more than 6.5M passwords likely compromised
      By _Jaikumar Vijayan_
      (http://www.computerworld.com/s/author/241/Jaikumar+Vijayan)
      June 6, 2012 05:15 PM ET


      Computerworld - In response to widespread reports of a massive _data
      breach_
      (http://www.computerworld.com/s/article/9227816/Update_LinkedIn_probing_reports_of_massive_breach) at LinkedIn, the company Wednesday confirmed
      that passwords belonging to "some" of its members have been compromised.
      In a carefully worded _blog post_
      (http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/) , LinkedIn director Vicente Silveira
      said the company has confirmed that an unspecified number of hashed passwords
      posted publicly on a Russian hacker forum earlier this week, "correspond to
      LinkedIn accounts."
      Silveira made no mention of how the passwords may have ended up on the
      forums but noted that LinkedIn is continuing to investigate.
      "Members that have accounts associated with the compromised passwords will
      notice that their LinkedIn account password is no longer valid," Silveria
      said.
      Users of the social networking site for professionals will also receive an
      email from LinkedIn with instructions on how to reset their passwords. The
      email will not contain any links that users will need to click on to reset
      their password, he noted. Affected customers will also receive a note from
      LinkedIn with more information on what happened and why they are being
      asked to reset their passwords, Silveira said.
      Earlier Silveira had posted a separate note urging LinkedIn members to
      change their passwords and providing them with tips on how to create strong
      passwords.
      Silveira was responding to numerous reports earlier Wednesday that hackers
      accessed close to 6.5 million hashed passwords from a LinkedIn database and
      posted it publicly on a Russian hacker forum. According to _security_
      (http://www.computerworld.com/s/topic/17/Security) researchers who had seen
      the compromised data, more than 300,000 of the hashed passwords have already
      been decrypted and posted online in clear text.
      LinkedIn had earlier said it was looking into those reports but had not
      confirmed the breach.
      Tal Be'ery, security research leader at Imperva, claims to have seen the
      stolen data and said much more than 6.5 million passwords might have been
      compromised.
      According to Be'ery, the passwords that have been posted online appear to
      be only those passwords that the hackers needed help in cracking. What the
      breached password list is missing are the usual easy-to-guess passwords that
      people commonly use to control access to online accounts, he said. The
      LinkedIn password file does not contain any of the common passwords that
      Imperva's researchers have typically run across when analyzing similar password
      breaches, he said.
      "Most likely, the hacker has figured out the easy passwords and needs help
      with less common ones." So it's likely that only the more complicated
      passwords have been revealed so far, he theorized.
      The breached list shows that LinkedIn did not use best practices in
      protecting the passwords, he said. The hashes that were used to mask the real
      passwords were so-called unsalted SHA-1 hashes. SHA-1 is a hashing algorithm
      that is used to protect passwords. Because SHA-1 isn't foolproof, security
      experts have for some time recommended that organizations use a technique
      called "salting" to make passwords harder to crack. With salting, an
      application applies a random string of characters to a password before it is hashed.
      The process ensures that even if two passwords are identical, their hashes
      will be unique.
      In an apparent response to the focus on the unsalted hashing issue,
      Silveira noted that LinkedIn recently added enhanced security measures for salting
      and hashing its password databases. Silveira's post does not indicate when
      LinkedIn began the practice.
      The compromise is a big deal for LinkedIn users, said John Pescatore, an
      analyst with Gartner. "LinkedIn definitely had to have some kind of serious
      security incident for this to happen. And they probably had lax security
      policies or controls for a simple unsalted hash file like this to exist," he
      said.
      One worrisome aspect of the breach is that it could enable more targeted
      phishing attacks, he said. "LinkedIn is a great research site for hackers
      creating targeted phishing attacks to go after system administrators, CFOs,
      etc." he said. "If they had access to the non-public parts of people's
      LinkedIn profiles we will see even better targeted phishing attacks."
      _Jaikumar Vijayan_
      (http://www.computerworld.com/s/author/241/Jaikumar+Vijayan) covers data security and privacy issues, financial services security
      and e-voting for Computerworld. Follow Jaikumar on Twitter at
      (http://twitter.com/jaivijayan) _@jaivijayan_ (http://twitter.com/jaivijayan) or
      subscribe to _Jaikumar's RSS feed_
      (http://rss.computerworld.com/computerworld/s/feed/keyword/JaikumarVijayan)
      (http://rss.computerworld.com/computerworld/s/feed/keyword/JaikumarVijayan) . His e-mail address is
      _jvijayan@..._ (mailto:jvijayan@...) .


      [Non-text portions of this message have been removed]
    Your message has been successfully submitted and would be delivered to recipients shortly.