Skip to main content

More than 6 million LinkedIn passwords stolen


Russian hackers released a giant list of passwords this week, and on Wednesday security researchers identified their likely source: business social networking site LinkedIn.
LinkedIn (LNKD) confirmed in a blog post late Wednesday afternoon that some of the stolen passwords correspond to LinkedIn accounts.
The company did not offer any information about how the passwords were stolen or the extent of the damage, but it said it is "continuing to investigate" the matter.
Dating site eHarmony also announced Wednesday that some of its users' passwords were stolen in the attack.
The 6.5 million leaked passwords were posted Monday on a Russian online forum, camouflaged with a common cryptographic code called SHA-1 hash. It's a format that's considered weak if added precautions aren't taken. Roughly half of the "hashed" passwords have already been decoded and posted online in human-readable text.
Several security researchers tweeted Wednesday that they have found their passwords among those that were revealed. Web security firm Sophos said it matched many of its researchers' own passwords that are used exclusively on LinkedIn.
Countless passwords on the list contain the word "linkedin." On a popular hacker forum, many reported finding passwords such as "linkedout," "recruiter," "googlerecruiter," "toprecruiter," "superrecruiter," "humanresources" and "hiring."
There's good news and bad news about this break-in.
The good news is that so far, no user names have been discovered in the list. It's highly recommended that you change your password, but after that you should be okay.
The bad news is that LinkedIn was using an outdated form of cryptography to secure its users' private information. The company should have known better than to guard its lists with just SHA-1, experts say.
The problem with SHA-1 is that it translates the same text the same way each time. So if your password is "password" and your friend's password is also "password," they will be hashed exactly the same way. That makes reversing the process to uncover the original password significantly easier.
That's why security experts recommend that companies with giant lists of private data like LinkedIn add another security layer called "salt."
Salt randomly adds another piece of information to the password. It could be a user name, first name, or even a random number -- the point is that it changes the underlying text enough to make it almost impossible to decode.
"Any organization using SHA-1 without salting user passwords is running a great risk -- much higher than they should," said Per Thorsheim, chief information security advisor at Norwegian IT services company EVRY. "We've seen this time and time again. This is not good practice. Salt should be a minimum."
In its blog post, LinkedIn said that it "recently" put in place enhanced security, "which includes hashing and salting of our current password databases."
A spokeswoman declined to comment on how "recently" that security was added.
EHarmony said in a blog post that it "uses robust security measures," but it did not include salting in the list of its protections.
The potentially worse news is that far more than 6.5 million users' passwords were likely stolen.
Each hashed password on the hacked list is unique, according to those who have looked at the data. Since SHA-1 encodes all identical passwords the same way, it's very likely that multiple people among LinkedIn's 150 million users had the same password.
What's really bad is that we don't know the identity of the hackers or what they're capable of.
If they simply stole a bunch of passwords without any way to match them with user names, it's a wake-up call for LinkedIn but not much more. But the attack came from Russia, a country known for its expert and mischievous hackers. There could be more fallout.
"If it's random idiots that have done this, the chances are slim that they could actually exploit this to the amount where it would actually hurt LinkedIn or you and me," Thorsheim said. "But if this is organized crime and these guys are serious, then the damage potential is very high."
The password hack is the second piece of bad security news to hit LinkedIn this week.
The company's mobile application was caught collecting data from users' calendars and sending it back to the company for analysis. The tool matches up information about the people users have scheduled with information from their LinkedIn profiles.
LinkedIn responded in a blog post that it seeks permission first, but it pledged to be more transparent about the way it collects and analyzes its users' personal information.

Popular posts from this blog

Best Webcam Modeling Websites Where You Can Make Money 2018

So you want to be a webcam model, huh? Maybe you are not sure and just want to find out more information. Either way, you have come to the right blog! This post will tell you how you can become an online webcam model, making cash amounts that many only dream about. Yes, you can make some SERIOUS cash with webcam modeling, but we will get into that soon.

I. What is webcam modeling
II. Why you should be a webcam model
III. Requirements
IV. Pay
V. Studios and cam sites
VI. The decision

I. What is webcam modeling
Webcam modeling is basically the online version of video pornography, except for the fact that people are watching what you do LIVE. The typical webcam performer will dress herself up in sexy clothing, put on some pretty makeup, sit down and talk with a few potential customers, then when she is taken into private, she will perform sexual acts for the customer. That's where the term webcam actress comes from. During private chat, the performer will do as the customer reque…

Phone Apps That Can Help You Make Money with top webcam modeling website

Earn Money From Blogging

Remember when phones were a convenient way to talk with friends and family from your home? If you’re not that old, maybe you can recall when you used your cell phone just to talk to people from any place you happened to have service. No? Well, it really doesn’t matter; if you’re like most people (but not all), you use your smart phone for everything from time management, to navigation, to entertainment. Wouldn’t it be nice if you could use it to make a few extra bucks? Here’s a list of apps that can help you do just that.

Field Agent

This popular app utilizes crowdsourcing to gather data for businesses who register as clients. The “agents” use their phones to provide photos, scan barcodes, verify locations, complete surveys, mystery shop, and perform other useful services. Agents generally earn from $3 to $12 per job and funds can be withdrawn from the agent’s account directly to PayPal. Unfortunately, this app appears to be available only for iPhone, iPad and…

How one of the world's biggest investors is navigating this market

Talk about the land of confusion. The VIX is at eight-year lows, despite a slew of geopolitical concerns. Stocks are at record highs. Spanish debt yields less than Treasurys.
How, then, is one of the world's biggest investors navigating this market?
Dan Morris is global investment strategist at TIAA-CREF, the asset management company with $569 billion in assets under management, sat down with Talking Numbers for an exclusive interview.

The Low VIX

"A very low reading on the VIX is kind of reflecting on the relatively benign environment for equities generally," Morris said. "We think it's too low, just if you look at the historical numbers. It's going to go up but not in a way that we see as really threatening at all."

Also Read: What Lies In Your Debt?Credit Repair Magic Tools

"Even if the VIX does go up [and] even if we do get some type of correction," added Morris, "the market has been a bit too smooth. If you look at the lo…