The Green Sheet Online Edition
June 25, 2012 • Issue 12:06:02
LinkedIn confirms breach, passwords theft
On LinkedIn's corporate blog, LinkedIn Director Vincente Silveira confirmed that the social media site for business professionals suffered a June 6, 2012, breach and acknowledged "some" passwords were stolen. Silveira said LinkedIn is continuing to investigate the breach. In the meantime, the company is invalidating passwords it knows to be compromised.
LinkedIn boasts approximately 161 million business-oriented users. Silveira said customers with compromised passwords will receive an email from LinkedIn with instructions for resetting their passwords. Silveira stated customers will then receive a second email from Customer Support to provide "a bit more context on this situation and why they are being asked to change their passwords."
Security researcher Cameron Camp wrote in a blog for the international Internet security firm ESET that phishing scams already exist on the Internet that purport to link to the LinkedIn password reset but instead direct the user elsewhere. For example, when a phony email link is clicked, the user may be directed to an illegal online pharmacy. Camp advised LinkedIn users not to click on any links in a LinkedIn email but instead to go directly to the company website to change passwords.
"Sadly, we are likely to see more of these emails as LinkedIn tries to rebuild trust among members," Camp wrote. "Besides changing your password, it's a good idea to review your user settings and try to understand/limit/narrow access to your key information to those with whom you intend to share. In this way you can help prevent unintended data sprawl, also meaning other user accounts which might become compromised won't have as much of a direct effect on your personal information."
Hashing and salting
Silveira noted that LinkedIn recently enhanced its security by adding additional cryptographic techniques, known as hashing and salting, to disguise its passwords. This may not be enough to stop determined hackers who have access to the stolen data, according to published reports claiming that as many as 6.4 million LinkedIn passwords may have been stolen by Russian hackers who reportedly posted the stolen data on an online forum. The reports also said teams of hackers have already decrypted 300,000 or more stolen passwords.
UKFast.net Ltd., a Manchester, England, hosting services provider, wrote on its blog that it was able to crack 2,000 hashes from the stolen LinkedIn data in just 10 minutes using the processing power of a normal central processing unit. "The passwords stolen from LinkedIn's database were stored as hashes encrypted using a cryptographic hash function called SHA-1," the company stated. "This basically uses an algorithm to change the password into a string of characters. ... Hashes like this can be simply cracked."
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.