Panic Over LinkedIn ‘6.5m Password Theft’

LinkedIn investigates claims millions of user passwords were stolen and posted online

LinkedIn says it is looking into reports that almost 6.5 million passwords for the social networking site were stolen and published online.

A Russian hacker had acquired password hashes, cracked many of them and posted them on the internet, according to various reports, potentially leaving millions of LinkedIn users vulnerable to account hijacking and personal data theft.

Email addresses to accompany the passwords were posted but were also encrypted and so unreadable, reports indicated.

“Our team is currently looking into reports of stolen passwords. Stay tuned for more,” LinkedIn said over Twitter.

Insecure hashes?

Per Thorsheim, security professional and organiser of Passwords XX conference, said many had confirmed their unique password was found in the list of leaked data.

The passwords were stored as unsalted SHA-1 hashes, something Thorsheim said would not offer particularly strong protection. Hackers can use a variety of techniques, including brute force, to crack hashes and work out the correct password.

No usernames were leaked, but some have suggested this is because the hackers wanted to keep the information for their own use.

LinkedIn had not offered any more comment at the time of publication.

Professor Alan Woodward, from the Department of Computing at University of Surrey, tweeted that it was “extraordinary” LinkedIn was not issuing its own warning, instead “leaving it to the security community to spread the word”.

Security professionals have rushed to offer advice to users. Mikko Hypponen, chief research officer at F-Secure, tweeted: “First change your LinkedIn password. Then prepare for scam emails about Linkedin password changes, linking to phishing sites. Will happen.”

“LinkedIn seems to be one of those services where I never go to…except to change my password.”

“Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals,” added Graham Cluley, senior technology consultant at Sophos, in a blog post.

“As such, it would seem sensible to suggest to LinkedIn users that they change their passwords as soon as possible as a precautionary step. Of course, make sure that the password you use is unique (in other words, not used on any other websites), and hard to crack.”

Social networking sites are a big target for cyber criminals, but there have not been any major cases of password theft yet. In May, thousands of user names and passwords posted on Pastebin which the hacker claimed were for Twitter, but the micro-blogging site said most of them were not usable.

Are you a security guru? Try our quiz!