LeakedIn: Hacker Posts 6.4 Million LinkedIn Passwords

The encrypted LinkedIn passwords of more than 6.4 million users have hit the Web after a reported hack, an incident that comes on the heels of another slip-up involving the company’s insecure mobile app.

The file containing 6,458,020 LinkedIn passwords appeared on a Russian Web forum; researchers from the security firm Sophos confirmed that the file does contain user passwords of Sophos staffers. (Scroll to the end of this story to learn how to check for your own password.)

All of the passwords are encrypted, but the encryption algorithm used is relatively weak and it appears thousands of passwords have already been cracked.

No associated email addresses appear in the file, but as Sophos’ Graham Cluley says, “It is reasonable to assume that such information may be in the hands of the criminals.”

[What Identity Thieves Want From a Data Breach]

LinkedIn, which has more than 150 million users, has not issued a formal statement. In a Twitter post this morning (June 6) from its @LinkedIn feed, the company wrote, “Our team is currently looking into reports of stolen passwords. Stay tuned for more.”

In a tweet sent two hours later, LinkedIn wrote, “Our team continues to investigate, but at this time, we’re still unable to confirm that any security breach has occured.”

Marcus Carey, security researcher at the firm Rapid7, recommends everyone immediately change their LinkedIn password.

“By all indications it doesn’t appear LinkedIn has contained the compromised yet, so everyone should be aware that they may have to change their passwords multiple times,” Carey told SecurityNewsDaily. “You should still go ahead and change it straight away, but you may have to change it for a second time if it turns out the attackers are still entrenched in LinkedIn’s systems.”

It’s also important to be aware of suspicious emails in the next few days that claim to be from LinkedIn. Phishing scams will invariably pop up in an attempt to trick you into entering a new password on a site that looks like LinkedIn, but is actually a clever spoof. When you change your LinkedIn login details, do it directly on LinkedIn’s site and not from a link in an email.

Bad day for LinkedIn

Unfortunately for LinkedIn, the password leak is not the least of its problems.

LinkedIn was forced today to update its mobile app to fix a flaw that transmitted the details of users’ calendar entries — including meeting locations, participants, meeting notes and passwords — back to LinkedIn’s servers without their knowledge.

The update came after researchers from Israel-based Skycure Security uncovered the flaw, prompting LinkedIn to take quick action to fix the problem.

In a blog post today, LinkedIn’s Joff Redfern addressed the issue, explaining that the calendar-sharing service is, and will continue to be, an opt-in feature users can turn off at any time.

The information is sent over a secure SSL connection, Redfern said, and none of it is stored on LinkedIn’s servers or shared “for purposes other than matching it with relevant LinkedIn profiles.”

Redfern added that, in light of Skycure Security’s discovery, LinkedIn will “no longer send data from the meeting notes section of your calendar event.”

The changes have been made on Android, and will be available shortly for Apple devices.

About the calendar feature in question, Redfern stressed, “It’s a great feature. We hope you try it out. If at any time you decide it’s not for you, then you can always go to the mobile apps setting page to turn [it] off.”

Checking your LinkedIn password

If you’d like to check whether your password is on the list of stolen passwords, you can download the huge 118-megabyte file from the Russian Yandex site here. You’ll probably need a tough text editor to open the whole thing; alternately, try Microsoft Word.

Then you’ll need to search for your LinkedIn password’s SHA-1 hash. Plug your password into the online SHA-1 hash generator at http://www.sha1-online.com. Copy the output and search for it in the file.

If you don’t get a result right away, clip the first five digits from the hash and search again. Whoever uploaded the LinkedIn password list replaced the first five digits of every hash that’s already been hacked with five zeroes.

For example, the hash for “password” is “5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8.” On the list, it appears as “000001e4c9b93f3f0682250b6cf8331b7ee68fd8,” indicating that it’s already been cracked.

If you do both and find nothing, your LinkedIn password isn’t on the list. But you should change it anyway.

Article provided by SecurityNewsDaily, a sister site to Laptopmag.com.

LEAVE A REPLY
Name*
Email* (will not be published)
Website
*Indicates required field
Comments*
Submit Comments

  1. Curtis Says:

    The russian site that holds all the passwords is down now.

FIND A REVIEW
Laptops
All Product Types Accessories Cars Digital Camcorders Digital Cameras eReaders GPS Laptops MP3 & Video Players Projectors Smartphones Software Storage Tablets / MIDs VoIP Wi-Fi
All Subcategories
All Subcategories All-Purpose Budget Business Desktop Replacement Gaming Multimedia Netbook Nettop Rugged Student Tablet PCs Ultraportable
Brand
Acer Alienware Apple Archos ASUS Averatec BenQ CTL Corp. Dell Digital Storm eMachines Emtec Everex Fujitsu GammaTech Gateway General Dynamics Getac Gigabyte Hercules HP HTC iBuyPower Intel Lenovo MSI Nokia Nvidia OCZ OLPC OQO Origin Panasonic Sager Samsung Sony Sylvania Systemax TabletKiosk Toshiba Verizon Viewsonic Viliv VooDoo Workhorse PC ZT Systems
Minimum Rating
Any Rating Editor's Choice 4.5 Stars 4.0 Stars 3.5 Stars 3.0 Stars
Screen Size
10 11 12 13 14 15 16 17 18 20 4 5 6 7 8 9
Resolution
1024x576 1024x600 1024x768 1200X800 1280 x 720 1280x1024 1280x768 1280x800 1366x678 1366x768 1440x1050 1440x900 1600x768 1600x900 1680x1050 1680x945 1920x1080 1920x1200 800x400 800x480
Weight Range
10.1 - 12.0 pounds 12.1 - 14.0 pounds 14.1 - 16.0 pounds 2 lbs 2 pounds and under 2+ lbs 2.1 - 4.0 pounds 4.1 - 6.0 pounds 6.1 - 8.0 pounds 8.1 - 10.0 pounds Over 16 pounds Under 2 pounds
more options
SUBSCRIBE