LeakedIn: Hacker Posts 6.4 Million LinkedIn Passwords
LinkedIn is having trouble alerting members affected by the recent password theft.
The encrypted LinkedIn passwords of more than 6.4 million users have hit the Web after a reported hack, an incident that comes on the heels of another slip-up involving the company's insecure mobile app.
The file containing 6,458,020 LinkedIn passwords appeared on a Russian Web forum; researchers from the security firm Sophos confirmed that the file does contain user passwords of Sophos staffers. (Scroll to the end of this story to learn how to check for your own password.)
All of the passwords are encrypted, but the encryption algorithm used is relatively weak and it appears thousands of passwords have already been cracked.
No associated email addresses appear in the file, but as Sophos' Graham Cluley says, "It is reasonable to assume that such information may be in the hands of the criminals."
Late Wednesday, after several statements that it could find nothing wrong, LinkedIn, which has more than 150 million registered users, admitted that its password database had been breached.
"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts," wrote LinkedIn Director Vicente Silveira on the official company blog.
"Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid. These members will also receive an email from LinkedIn with instructions on how to reset their passwords."
Silveira noted that everyone who updates his or her password will benefit from the "enhanced security we just recently put in place, which includes hashing and salting of our current password databases."
Security experts might argue that "salting," or inserting random data into, password hashes is something that should be done before, not after, a huge data breach. Had LinkedIn salted its password-encryption algorithm before today, there likely wouldn't be a problem.
In a Twitter post this morning (June 6) from its @LinkedIn feed, the company had written, "Our team is currently looking into reports of stolen passwords. Stay tuned for more."
In a tweet sent two hours later, LinkedIn wrote, "Our team continues to investigate, but at this time, we're still unable to confirm that any security breach has occured."
Security professionals took to Twitter and to blogs to criticize LinkedIn's response.
Security consultant Robert David Graham wrote on his Errata Security blog, "I can confirm this hack is real: the password I use for LinkedIn is in that list. I use that password NOWHERE ELSE. Furthermore, it's long/complex enough that I'm confident NOBODY ELSE uses the same password."
"I must agree with the general consensus that LinkedIn is shamefully negligent," tweeted City College of San Francisco computer-security professor Sam Bowne. "It's easy to confirm the dump is real."
Marcus Carey, security researcher at the firm Rapid7, recommended everyone immediately change their LinkedIn password.
"By all indications it doesn't appear LinkedIn has contained the compromised yet, so everyone should be aware that they may have to change their passwords multiple times," Carey told SecurityNewsDaily. "You should still go ahead and change it straight away, but you may have to change it for a second time if it turns out the attackers are still entrenched in LinkedIn's systems."
It's also important to be aware of suspicious emails in the next few days that claim to be from LinkedIn. Phishing scams will invariably pop up in an attempt to trick you into entering a new password on a site that looks like LinkedIn, but is actually a clever spoof. When you change your LinkedIn login details, do it directly on LinkedIn's site and not from a link in an email.
Bad day for LinkedIn
Unfortunately for LinkedIn, the password leak is not the least of its problems.
LinkedIn was forced today to update its mobile app to fix a flaw that transmitted the details of users' calendar entries — including meeting locations, participants, meeting notes and passwords — back to LinkedIn's servers without their knowledge.
The update came after researchers from Israel-based Skycure Security uncovered the flaw, prompting LinkedIn to take quick action to fix the problem.
In a blog post today, LinkedIn's Joff Redfern addressed the issue, explaining that the calendar-sharing service is, and will continue to be, an opt-in feature users can turn off at any time.
The information is sent over a secure SSL connection, Redfern said, and none of it is stored on LinkedIn's servers or shared "for purposes other than matching it with relevant LinkedIn profiles."
Redfern added that, in light of Skycure Security's discovery, LinkedIn will "no longer send data from the meeting notes section of your calendar event."
The changes have been made on Android, and will be available shortly for Apple devices.
About the calendar feature in question, Redfern stressed, "It's a great feature. We hope you try it out. If at any time you decide it's not for you, then you can always go to the mobile apps setting page to turn [it] off."
Checking your LinkedIn password
UPDATE: The file containing the LinkedIn passwords has been removed from the Yandex site as of 4:30 p.m. ET Wednesday.
However, the file has been duplicated at several other locations around the Web, and a website has gone up at http://leakedin.org that offers to check your password against the list. The site's experiencing heavy traffic and it make take several attempts to get through.
If you'd like to check whether your password is on the list of stolen passwords, you can download the huge 118-megabyte file from the Russian Yandex site here. You'll probably need a tough text editor to open the whole thing; alternately, try Microsoft Word.
Then you'll need to search for your LinkedIn password's SHA-1 hash. Plug your password into the online SHA-1 hash generator at http://www.sha1-online.com. Copy the output and search for it in the file.
If you don't get a result right away, clip the first five digits from the hash and search again. Whoever uploaded the LinkedIn password list replaced the first five digits of every hash that's already been hacked with five zeroes.
For example, the hash for "password" is "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8." On the list, it appears as "000001e4c9b93f3f0682250b6cf8331b7ee68fd8," indicating that it's already been cracked.
If you do both and find nothing, your LinkedIn password isn't on the list. But you should change it anyway.