Russian Hackers Release Up To 6.5 Million Linkedin Passwords

[News_Editor]

Russian hackers release up to 6.5 million LinkedIn passwords < br />

2012-06-07 03:38:02 GMT+7 (ICT)

MOUNTAIN VIEW, CALIFORNIA (BNO NEWS) -- Russian hackers have obtained and released the passwords of up to 6.5 million accounts on the popular professional networking website LinkedIn, according to a web posting on Wednesday.

LinkedIn director Vicente Silveira confirmed in a blog post that at least some of the more than 6.4 million passwords released on a Russian forum correspond to LinkedIn accounts. The leaked passwords were camouflaged with a common cryptographic code called SHA-1 hash, which is considered weak unless extra security layers are added.

"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," Silveira said.

Camouflaging passwords with SHA-1 is considered weak because it translates the same text the same way every time. For instance, if one user's password is "password", the resulting code will be the same when another user also uses "password." This is why security experts recommend adding a security layer called "salt," which adds another piece of information to the code to make it almost impossible to decode.

The file released on the Russian forum on Wednesday did not contain associated email addresses, but security experts nonetheless advise LinkedIn users to change their passwords as a precaution. Silveira said users of accounts associated with compromised passwords will receive an email from LinkedIn with instructions on how to rest their passwords.

"We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously," Silveira added in his blog post on Wednesday. He noted that emails sent by LinkedIn to affected users will not contain any links, apparently to avoid phishing scams.

It was not immediately clear how the passwords were obtained.

LinkedIn started out in the living room of co-founder Reid Hoffman in late 2002 and launched officially on May 5, 2003. At the end of the first month of operation, LinkedIn had around 4,500 users. As of May 2012, the company said it has more than 161 million users around the world.

-- © BNO News All rights reserved 2012-06-07

[NanLaew]

Another reason to avoid social networking. Despite LinkedIn being labeled as a 'professional network', it's just as vulnerable as the social ones.

[lubbkis]

Whilst changing my linkIn password this morning I was surprised to find that I wasn't logged in. I'm gobsmacked at how much I can do and find without logging in. Maybe the architects at linkedIn should look at their whole structure rather than just the password security. Perhaps there is too much emphasis on extending the network (quantity) and not enough on letting the user envision where he/shi is and whom he/she is amongst (quality). I am seriously cosidering reducing my 80 profile completion being patently aware that these "communities" are "Hotels California" - you can never leave.

[GentlemanJim]

News_Editor

Thanks for the heads up.

[Crushdepth]

Salting only works if you don't know the salt. Since someone got hold of (part?) of the database, who's to say that they wouldn't have gotten the salts as well? Basically if you have a good password then you aren't vulnerable to this kind of attack because brute forcing the hash isn't feasible. It's only if you use a lame duck password that you are vulnerable. Which most people do.

[mca]

It's only if you use a lame duck password that you are vulnerable. Which most people do.

I had to patiently explain to my folks that maybe having "billjanet" ( their names ) as a password possibly wasn't the best idea for all their online activities.

Later my dad proudly announced that he'd changed the password to "spencerstreet" ( where they live ).

Somebody pass me that "banging head against the wall" emoticon.