LinkedIn has confirmed that members’ passwords have been compromised, appearing on a list of allegedly stolen hashed passwords.
How this breach occurred has not been divulged.
Last night, a user on a Russian forum claimed to have downloaded 6.46 million user hashed passwords, some of which appeared to be from LinkedIn.
LinkedIn first investigated the matter, and said that it found no evidence of a data breach, despite the fact that LinkedIn users were reporting that their passwords were on the list. It has now, however, confirmed a breach.
“We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts,” Vicente Silveira, a director at the professional social-networking site, wrote in a blog post. It is unknown how many passwords have been verified by LinkedIn.
LinkedIn has disabled the passwords on those accounts, it said. Account holders will receive an email from LinkedIn with instructions for resetting their passwords. The emails will not include any links. Phishing attacks often rely on links in emails that lead to fake sites designed to trick people into providing information, so the company says it will not send links in emails.
Affected account holders will then receive a second email from LinkedIn customer support, explaining why they need to change their passwords.
LinkedIn encrypted the passwords using the SHA-1 algorithm, but did not use proper obscuring techniques that would have made the password cracking more difficult, said Paul Kocher, president and chief scientist of Cryptography Research. The passwords were obscured using a cryptographic hash function, but the hashes were not unique to each password, a procedure called “salting,” he said. So if a hacker finds a match for a guessed password, the hash used there will be the same for other accounts that use that same password.
“There were two things LinkedIn failed at,” Kocher said.
They did not hash the passwords in a way that somebody would need to repeat their search for each account, and they did not segregate and manage the [user] data in a way that they would not get compromised. The only thing worse they could have done would be to put straight passwords in a file, but they came pretty close to that by failing to salt.
Security and crypto expert Dan Kaminsky tweeted that “salting would have added around 22.5 bits of complexity to cracking the #linkedin password dataset”.
The password list that was uploaded to a Russian hacker server (which has been removed from the site now) had nearly 6.5 million items, but it’s not clear how many of the passwords were cracked. Many of them had five zeros in front of the hash; Kocher said that he suspects those are the ones that were cracked. “This suggests that this may be a file stolen from a hacker who had already done some work on cracking the hashes,” he said.
And just because an account holder’s password is on the list and appears to have been cracked, doesn’t mean the hackers actually logged in to the account, although Kocher said that it’s highly likely that the hackers had access to the user names, too.
Not only are LinkedIn users at risk of having their accounts hijacked by hackers, other scammers are also already exploiting the situation. Kocher said that he had received several spam phishing emails purporting to be from LinkedIn, asking him to verify his password by clicking on a link.
If people use the LinkedIn password as their password for other accounts, or a similar format to the password, those accounts are now at risk.
Silveira said that LinkedIn is investigating the password compromise, and taking steps to increase the security of the site. “It is worth noting that the affected members who update their passwords, and members whose passwords have not been compromised, benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases,” he wrote.
“We sincerely apologise for the inconvenience this has caused our members. We take the security of our members very seriously,” Silveira added. “If you haven’t read it already, it is worth checking out my earlier blog post today about updating your password other account security best practices.”
A portion of the email LinkedIn sent to its members: The security of your account is very important to us at LinkedIn. As a precaution, we disabled your password, and advise you to take the following steps to reset it. If you reset your password in the last two days, there is no need for further action.
1. Type www.linkedin.com/settings directly into your browser
2. Type in your email address and press Sign In, no password necessary
3. Follow the on-screen directions to reset your password
Note: Do not reuse your old password when creating your new password.
If you have been using your old LinkedIn password on other sites, we recommend that you change those passwords too. We appreciate your immediate attention to resetting your password and apologize for the inconvenience.