6.5 million LinkedIn passwords uploaded to hacker website – LinkedIn confirms breech
A list was uploaded to a Russian hacker website, alleging to contain the passwords of 6.5 million LinkedIn user accounts. LinkedIn later confirmed that some of the passwords were legitimate, though it said nothing about how they were obtained.
A list was uploaded to a Russian hacker website, alleging to contain the passwords of nearly 6.5 million LinkedIn user accounts. LinkedIn later confirmed that some of the passwords were legitimate, though it said nothing about how they were obtained.
Earlier today, the social networking website reported that it had found no evidence of a breech in its website, despite reports from users that their passwords were located on the list, which has since been pulled off of the website it was originally uploaded to.
Later, however, LinkedIn confirmed in a blog post that user accounts had indeed been compromised.
"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts." said the post. It went on to explain that passwords to compromised accounts had been disabled, and that emails had been sent to compromised users providing instructions to reset their passwords. Since phishing attacks often utilize fake emails with links to fake websites, LinkedIn said it will not include links in the emails.
Paul Kocher, president and chief scientist of Cryptography Research, believes that LinkedIn was more vulnerable to attack due to the way they hashed user passwords. According to Kocher, "They did not hash the passwords in a way that somebody would need to repeat their search for each account and they did not segregate and manage the (user) data in a way that they would not get compromised. The only thing worse they could have done would be to put straight passwords in a file, but they came pretty close to that by failing to salt."
“Salting” is a procedure of using hashes unique to individual passwords, instead of using the same hash for every duplicate password.
Just because a user's password appeared on the list does not mean that their accounts were logged into by the hackers. But according to Kocher, it is likely that the hackers have access to the corresponding usernames as well.
LinkedIn director Vicente Silveira wrote, "It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases."
Silveira went on to say, "We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously. If you haven't read it already, it is worth checking out my earlier blog post today about updating your password other account security best practices."