LinkedIn said today that some passwords on a list of allegedly stolen
hashed passwords belong to its members, but did not say how its site
was compromised.
"We can confirm that some of the passwords that
were compromised correspond to LinkedIn accounts," Vicente Silveira, a
director at the professional social-networking site, wrote in a blog post. It is unknown how many passwords have been verified by LinkedIn.
LinkedIn has disabled the passwords on those accounts, it said. Account
holders will receive an e-mail from LinkedIn with instructions for
resetting their passwords. The e-mails will not include any links.
Phishing attacks often rely on links in e-mails that lead to fake sites
designed to trick people into providing information, so the company says
it will not send links in e-mails.
Affected account holders will then receive a second e-mail from LinkedIn
customer support explaining why they need to change their passwords.
Earlier this morning, LinkedIn had said it found no evidence of a data breach, despite the fact that LinkedIn users were reporting that their passwords were on the list.
Later in the day, eHarmony confirmed that some of its users' passwords had also been compromised, but did not say how many.
LinkedIn encrypted the passwords using the SHA-1 algorithm, but did not
use proper obscuring techniques that would have made the password
cracking more difficult, said Paul Kocher, president and chief scientist
of Cryptography Research.
The passwords were obscured using a
cryptographic hash function, but the hashes were not unique to each
password, a procedure called "salting," he said. So if a hacker finds a
match for a guessed password, the hash used there will be the same for
other accounts that use that same password.
There were two things LinkedIn failed at, Kocher said:
They did not hash the passwords in a way that somebody would need to repeat their search for each account and they did not segregate and manage the (user) data in a way that they would not get compromised. The only thing worse they could have done would be to put straight passwords in a file, but they came pretty close to that by failing to salt.
Security and crypto expert Dan Kaminsky tweeted that "salting would have added around 22.5 bits of complexity to cracking the #linkedin password dataset."
Phishing scams are already popping up designed
to trick people into sharing their LinkedIn password.
LinkedIn says it
will be sending e-mails to users about changing their password because
of the data compromise, but its e-mail will not include a link. (Click
to enlarge.) (Credit:
ESET)
The password list that was uploaded to a Russian hacker server (which
has been removed from the site now) has nearly 6.5 million items, but
it's not clear how many of the passwords were cracked.
Many of them have
five zeros in front of the hash; Kocher said he suspects those are ones
that were cracked.
"This suggests that this may be a file stolen from a
hacker who had already done some work on cracking the hashes," he said.
And just because an account holder's password is on the list
and appears to have been cracked, doesn't mean the hackers actually
logged into the account, although Kocher said it's highly likely that
the hackers had access to the user names too.
Ashkan Soltani, a privacy
and security researcher, said he suspects that the passwords could be
old because he found one that was unique to him that he had used on a
different service years ago. "It could be an amalgamation of password
lists that someone is trying to break," he said. A hacker using the
handle "dwdm" posted one list of passwords to the InsidePro hacker site
and asked for help in cracking it, according to a screen capture Soltani
saved. "They were crowd sourcing the password cracking," he said.
Not only are LinkedIn users at risk of having their accounts hijacked
by hackers, other scammers are already exploiting the situation. During a
15-minute phone call this morning, Kocher said he had received several
spam phishing e-mails purporting to be from LinkedIn and asking him to
verify his password by clicking on a link.
And if people use the
LinkedIn password as their password for other accounts, or a similar
format to the password, those accounts are now at risk. Here are some tips on choosing strong passwords and what to do if your password may be among those on the LinkedIn list.
LinkedIn's Silveira said LinkedIn is investigating the password
compromise and taking steps to increase the security of the site. "It is
worth noting that the affected members who update their passwords and
members whose passwords have not been compromised benefit from the
enhanced security we just recently put in place, which includes hashing
and salting of our current password databases," he wrote.
"We sincerely apologize for the inconvenience this has caused our
members. We take the security of our members very seriously," Silveira
added. "If you haven't read it already, it is worth checking out my earlier blog post today about updating your password and other account security best practices."
It's been a rough day for LinkedIn. In addition to the password leak, researchers also have discovered that LinkedIn's mobile app is transmitting data
from calendar entries, including passwords and meeting notes, and
transmitting it back to the company's servers without their knowledge.
After that news came out, LinkedIn said in a blog post
today that it will stop sending meeting notes data from calendars. In
addition, LinkedIn says the calendar sync feature is opt-in and can be
disabled, LinkedIn doesn't store any of the calendar data on its servers
and it encrypts the data in transit.
Source: CNET
I am regular visitоr, hoω are yοu everуbοdy?
ReplyDeleteThіs post postеd аt thіs web page is tгuly good.
Сheck out my ωeblog; ωays to get your ex back ()