LinkedIn Breach Reportedly Results In Millions Of Passwords Leaked Online

UPDATE: LinkedIn has confirmed on its blog that “some of the passwords that were compromised correspond to LinkedIn accounts,” and outlines how affected members will be notified.

On the LinkedIn blog in a post titled, “An Update on LinkedIn Member Passwords Compromised”:

1. Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
2. These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.
3. These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.

——————————————————–

If you have a LinkedIn account, it might be wise to change your password right about now. According to reports, a user in a Russian forum says he’s hacked and subsequently leaked online about 6.5 million LinkedIn passwords. The claim hasn’t been confirmed yet, but LinkedIn says it’s looking into the situation.

As CNET notes, LinkedIn’s Twitter says: “Our team is currently looking into reports of stolen passwords. Stay tuned for more.”

Meanwhile, other Twitter users are already reporting that they’ve found their hashed passwords on the list, says one security expert.

The simpler your password, the more it could be at risk, as those take less time to decrypt. As a precaution, now would be a good time to change that password. It’s a good idea to use both upper and lowercase letters, numbers and punctuation.

Here’s how:

1. Go to linkedin.com.
2. Click on your name in the top right corner and select Settings.
3. Click Change next to Password.
4. Enter your current password and create a new one.

This latest turn of events comes after recent news that LinkedIn’s iOS app is collecting info from calendar entries, including passwords, and sending it back to the company’s servers without notifying users.

Millions of LinkedIn passwords reportedly leaked online [CNET]

Comments

Edit Your Comment

  1. CrazyEyed says:

    So where is this “list”

    • kelrod says:

      Not sure where the actual list itself is, but there is a site you can use to check to see if your password was leaked/cracked:

      http://www.leakedin.org

      I don’t believe the guy who put this site up is at all nefarious, but given the situation, I think it was a bad idea to tell users to type in their passwords. You can instead get a SHA-1 hash of your password and put that in instead, it will check to see if it is on the leaked list.

  2. FatLynn says:

    I just can’t imagine any real consequences of someone getting in to my linkedin account. What a stupid choice of website to hack.

    • Blueskylaw says:

      Resumes, personal information, e-mail addresses, mailing addresses, phone numbers, etc.

      • FatLynn says:

        Oh, I don’t think I have that much personal info on there. In my experience, LinkedIn is just a place where tons of people I barely know e-mail me looking for jobs.

        • Blueskylaw says:

          I know people who have a lot of information on there because you want potential employers to see your history, job information, previous employeers, accomplishments, etc.

          • FatLynn says:

            Protip: Employers are not hanging out on LinkedIn looking for employees.

            • Anathema777 says:

              Actually, in some fields, they are. I know a few people in the IT field who have been approached and invited to apply for a job through their LinkedIn accounts.

              • JeffM says:

                I can only assume FatLynn was being facetious – I am approached on a weekly basis by recruiters looking for talent in the industry of which I’m employed. (in the Silicon Valley)

                I usually ignore the leaked password rumors, but I look at LinkedIn as one of the only sites that actually has monetary value to me. The brand and image you put forth on LinkedIn is examined by damn near everyone that seriously evaluates you for employment. I changed my password.

                • Important Business Man (Formerly Will Print T-shirts For Food) says:

                  Bien dit. I changed mine too.

                • FatLynn says:

                  Oh, I get third-party recruiters all of the time. I meant real employers; the type of people I would want accessing my personal information. Someone said above that they’ve seen it happen, and that is fairly surprising to me.

              • visual77 says:

                I’ve had this happen to me. I’m a software developer by trade and have gotten a handful of legitimate (but not appealing) employment inquiries.

                I have yet to get one that is good enough to pursue, but I’ve looked at them enough to be confident that it is a real job opportunity.

            • DarthCoven says:

              I’ve been approached several times by folks in the NYC construction industry with job openings in my specific field. It’s been a very useful tool that has led to half a dozen job interviews. If the offers were better I might have taken one of them.

              • FatLynn says:

                Okay, this is what I mean. I get a ton of spam from people who want my help finding a job, and from recruiters. Neither group comprises people with whom I really want to share my personal info.

            • CubeRat says:

              Yes, they are. I started to set up a LinkedIn account years ago when I received invites from two of my favorite customers. I had never heard of it and was a bit suspicious about all the personal info they asked (I’m a bit paranoid about personal info). Also, I was doing this at work and it got crazy busy, so I stopped and just never went back to it to finish.

              I’ve never logged on to LinkedIn, however, this year I’ve gotten 1-2 e-mails a month about openings. All of these have been from the people actually HIRING, not a temp agency or HR or a recruiter. In each case, I’ve told them I wasn’t interested in changing jobs at this time, but gave them names of colleagues that have lost their jobs. Two of my former colleagues were hired – so I know these are legit e-mails I’m getting.

      • Gehasst says:

        This is why I won’t sign up on that site. I checked it out once with a friend’s account, and found far too much personal info floating out there for anyone who signs up. Spammers paradise is what I call it.

    • PunditGuy says:

      Many, many people use the same passwords on multiple sites. They may not want to update your resume, but they might be interested in ordering from your Amazon account.

    • Taed says:

      Harvesting email addresses and sending spam for profit, of course.

    • kc2idf says:

      Harvesting passwords that might be in use in other places as well.

    • CornwallBlank says:

      Oh no — it’s an EXCELLENT choice of websites to hack.

      First, everyone knows, or should know, that LinkedIn are absolutely prolific spammers. (If this is news to anyone reading this, use Teh Google, and pay particular attention to traffic on anti-spam mailing lists, newsgroups, and web forums. It’s so well-known that it’s hardly even discussed any more.) So hacking LinkedIn and then forging traffic from it (with links to malware, drive-by downloads, etc.) should work beautifully if executed reasonably well, since traffic will fit into pre-existing patterns.

      Second, as someone else mentioned, cross-site password use is epidemic. So any large site makes a good target: the username/password pairs will be usable in many, many other places.

      Third, access to LinkedIn user data is an absolute gold mine for spammers, phishers, blackmailers, con artists, and scammers of all descriptions. It’s such an embarrassment of riches that it’s hard to know where to even start. But the short, short version is that it easily provides enough information to enable selective targeting of individuals, whether that means exploiting their social connections, phishing them based on where they work, or enumerating employees in order to target a workplace. IF this breach has really happened, then by now, huge amounts of that have been extracted and are being packaged for resale on the open market — and there WILL be buyers.

      Fourth, what makes data gleaned from this so valuable isn’t just what it contains — but how it can be combined with other data from other sites. Check the “dataloss” web site for an ongoing list of such breaches, and then consider: if I have X million pieces of LinkedIn data and Y million pieces of some other site’s data and Z million of yet some other site’s, what can I learn if I combine them? As it turns out, the answer to this is very often “a lot” and that is really, really bad for everyone whose data is involved.

      Fifth, the nature of this report strongly indicates a problem with LinkedIn itself — that is, we’re not looking at individual account breaches. If that’s the case, then we must necessarily ask whether the attackers not only accessed and copied data, but whether they MODIFIED it. The opportunities for mischief there are incredible.

  3. Blueskylaw says:

    Perhaps LinkedIn can go through their user
    profiles and find a specialist in computer security.

  4. macnbc says:

    Uh, your CNet link doesn’t even link to anything remotely resembling CNet.

  5. BurtReynolds says:

    I guess this is a win for those of us who haven’t bothered to create an account.

  6. Sarek says:

    Your link has been hacked!

  7. DJ Charlie says:

    So this is why I’m getting 4-5 “Change your LinkedIn Password!” spams a day. And I don’t even have a LinkedIn account.

  8. BrownLeopard says:

    So wait. According to other sites (and part of this article) it’s the hashed passwords, not raw passwords. This is where websites need to use a SHA256 with salt (that isn’t reused) since a lookup/rainbow table won’t find them easily.

    • Craige says:

      I’m just going to leave this here:

      http://www.codinghorror.com/blog/2012/04/speed-hashing.html

      “Rainbow tables, despite their recent popularity as a subject of blog posts, have not aged gracefully. Implementations of password crackers can leverage the massive amount of parallelism available in GPUs, peaking at billions of candidate passwords a second. You can literally test all lowercase, alphabetic passwords which are ≤7 characters in less than 2 seconds. And you can now rent the hardware which makes this possible to the tune of less than $3/hour. For about $300/hour, you could crack around 500,000,000,000 candidate passwords a second.

      Given this massive shift in the economics of cryptographic attacks, it simply doesn’t make sense for anyone to waste terabytes of disk space in the hope that their victim didn’t use a salt. It’s a lot easier to just crack the passwords. Even a “good” hashing scheme of SHA256(salt + password) is still completely vulnerable to these cheap and effective attacks.”

      • BrownLeopard says:

        This is true with just about any algorithm used for securing passwords. However, using SHA256 (or preferably 512) with a non-repeating and random salt not stored in a database makes it much harder.

        That being said, when I code sites I use PHP’s Blowfish crypting. You’d think that a popular site like LinkedIn would use a much stronger hashing algorithm.

  9. kethryvis says:

    Uuuhh…. your linkback is wrong. i clicked on it and got WNYC’s “Singles Party.”

    i really don’t need to know what you’re doing in your spare time… please fix!

  10. coffeeplease says:

    Dear Mary Beth,

    As I am sure you are aware, the WNYC.com singles party at Galapagos is sold out for women but men’s tickets are still available. That said can you please correct the CNET link so to it goes to the CNET article rather than the WNYC singles party landing page?

    xoxoxoxox,

    CoffeePlease

  11. Scamazon says:

    Now get them to admit their was a breach of personal data/resume data as far back 18 months. It was before they went public and they were keeping it quiet. I know several people that were impacted….

  12. crispyduck13 says:

    Hey maybe they can tell me what my password is, hell if I can remember it.

  13. Maltboy wanders aimlessly through the Uncanny Valley says:

    I blame Scott Walker.

  14. That guy. says:

    My Grandmother keeps getting emails saying that she has an invite (from a family memeber) pending for LinkedIn.

    No matter how many times we correct her, she keeps calling it Link-A-Dink.

  15. Lisa W says:

    It never hurts to reset your passwords on a regular basis just to be safe!

  16. Matthew PK says:

    Another reason to demand web services use OpenID

  17. aleck says:

    Thaaaaat’s why I’ve been getting requests to link from seemingly random people in the last few days.

  18. daemonaquila says:

    Wow. So not surprising from such a disgusting company. I am on LinkedIn (nominally) because you almost have to be for business, if nothing else to go look up other people’s profiles. But I absolutely hate their spam machine.

    I’m spreading the word now – thanks for publishing this.

  19. HogwartsProfessor says:
  20. eigenvector says:

    I just did a round of password changes that took an hour because I reused a username and password from another site that was hacked. Finally, most of my logins are unique.

    Two very relevant, informative comics for this situation
    xkcd.com/792/
    xkcd.com/936/

  21. Difdi says:

    “some of the passwords that were compromised correspond to LinkedIn accounts,”

    Wait a second. Are they saying that they managed to suffer a security breach of accounts at other unrelated companies?