Millions Of Linkedin Passwords May Have Been Stolen

[ritchie58]

LinkedIn users could be facing yet another security problem.

 

A user in a Russian forum says that he has hacked and uploaded almost 6.5 million LinkedIn passwords, according to The Verge. Though his claim has yet to be confirmed, Twitter users are already reporting that they've found their hashed LinkedIn passwords on the list, security expert Per Thorsheim said.

 

LinkedIn revealed through its own tweet that it's looking into reports of stolen passwords, and it advised users to stay tuned for more information.

 

Many of the hashes include the word "linkedin," which The Verge believes lends credibility to the reports.

 

LinkedIn passwords are encrypted using an algorithm known as SHA-1, which is considered very secure. Complex passwords will likely take some time to decrypt, but simple ones may be at risk.

 

Sophos security expert Graham Cluley is advising LinkedIn users to change their passwords as soon as possible, at least as a precaution. If the report is true, then hackers are undoubtedly working hard to decrypt the hashed, or unsalted, passwords.

 

"Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals," Cluley added.

 

 

The report of the leaked passwords comes hard on the heels of word from security researchers that LinkedIn's iOS app is collecting information from calendar entries -- including passwords -- and transmitting it back to the company's servers without users' knowledge.

 

In response to concerns over this collection of data, LinkedIn yesterday tried to explain how and why it captures this information.

 

The company acknowledged that it picks up information from the Calendar app on your iOS device to try to sync any appointments listed with fellow LinkedIn users. The feature is opt-in, so users of the LinkedIn IOS app can turn off the ability to "Add Calendar" in the Settings screen.

 

The details sent to LinkedIn's server include the e-mail addresses of the people you meet with, the meeting subject, the location, and any meeting notes. The calendar data is sent securely using SSL encryption and isn't shared or stored, LinkedIn added.

 

But in a concession to concerned users, the company has promised two tweaks to the feature. It will no longer pick up meeting notes from your calendar. And it will add a "learn more" link to explain how your calendar data is being used.

 

LinkedIn did not address the question of whether passwords are being collected along with the meeting information.

 

To change your LinkedIn password, log onto your account. Click on your name in the upper right corner and then click on the link for Settings. In the Settings section, click on the Change link next to Password. You'll be prompted to to enter your old password and then create a new one. Aim to pick a complex password that's not easy to decipher. Then click on the Change Password button.

 

CNET contacted LinkedIn for further details and will update the story when we get more information.

 

 

[ritchie58]

LinkedIn said today that some passwords on a list of allegedly stolen hashed passwords belong to its members, but did not say how its site was compromised.

 

"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts," Vicente Silveira, a director at the professional social networking site, wrote in a blog post.

 

LinkedIn has disabled the passwords on those accounts, it said. Account holders will receive an e-mail from LinkedIn with instructions for resetting their passwords. The e-mails will not include any links. Phishing attacks often rely on links in e-mails that lead to fake sites designed to trick people into providing information, so the company says it will not send links in e-mails.

 

Affected account holders will then receive a second e-mail from LinkedIn customer support explaining why they need to change their passwords.

 

Earlier this morning, LinkedIn had said it found no evidence of a data breach, despite the fact that LinkedIn users were reporting that their passwords were on the list. By Elinor Mills, InSecurity Complex

 

 

 

[ritchie58]

News of millions of LinkedIn passwords leaked through a user on a Russian forum is scary enough. It's important not to let the situation get worse. Be proactive about protecting your other accounts, particularly if you have the same password for all your accounts.

 

If that's the case, it's time to change them, Jeremiah Grossman of WhiteHat Security said in an e-mail to CNET.

 

He offered a few tips, via a blog post on how not to get hacked on the Web.

 

"You wouldn't have the same key for your home, car, office, safe, etc.," Grossman wrote. "For the same reason you shouldn't use the same password for all your online accounts."

 

He recommends picking passwords that are hard to guess, not found in the dictionary, six characters or more in length, and that have a mix of numbers and letters. Two examples are y77Vj6t or JX0r21b.

 

Since having multiple passwords can be hard to remember, you can write down the passwords on a piece of paper that fits in your wallet or on index cards that can be locked in your desk. Or, you can use a password manager, which is software that stores your password and encrypts the data Grossman says.

 

 

 

 

Related stories

• The guide to password security (and why you should care)
• How to master the art of passwords
• Keep your data safe by following the Password Commandments

Chris Wysopal, of Veracode, said it's also good to keep a password manager, like the Password Wallet app, on your phone so you can access them easily if you are away from your computer. Additionally, he said it's important to change passwords if they have similar patterns. For instance, he said one of the hacked passwords he saw was "scottlinkedin" which could potentially be a security risk for Scott's other accounts.

 

"Someone might go to Facebook and try 'scottfacebook,'" he said. "It's good to have unique passwords for each one, but the pattern is so obvious, it's good to change the other passwords."

 

Prior to confirming the breach, LinkedIn offered similar advice on its blog, adding that passwords should be changed frequently, at least once a quarter or every few months.

 

Originally posted at Internet & Media

 

 

[ritchie58]

I have learned that this breach also includes users of the dating site eHarmony and last.fm music service besides LinkedIn users. I just so happen to have an account with last.fm and got an email from them informing me to change my password. They commented that no direct link was provided as a way to verify that this email was legitimate and not a malicious redirect or phishing attempt. If you do get an email from any of these sites stating your password may have been compromised and a link "IS" provided that should really raise your suspicions. Instead, delete the email and go directly to the site and change your password there. Regards, Ritchie...