LinkedIn confirms stolen account passwords

- June 6th, 2012

linkedinLOGO

If you haven’t changed your LinkedIn password recently, now you might just have to. Reports had surfaced earlier that a file containing 6.5 million encrypted passwords have been leaked and posted on a Russian hacker site, might be from LinkedIn accounts and many of those have already been cracked. As it turns out, they were.

According to security and password expert Per Thorsheim, as first cited on a Norwegian website, there was evidence embedded in that data to suggest that the passwords in question may have come from LinkedIn accounts. Initially, LinkedIn did not report a breach as they had been in the process of investigating, but have since acknowledged that passwords have in fact been stolen.

 

Password Deactivated

In the meantime, if you are a LinkedIn account holders who was compromised, your password has been deactivated. Expect to receive an email with instructions on how to reset it. That email will not contain any links. After completing step 1, expect a second email from the company.

Now the probability of your account having been compromised is fairly small, guesstimated to be about 5% based on the roughly 150+ million LinkedIn users. Furthermore, LinkedIn email addresses are kept separate from password. Nonetheless, even if you haven’t been alerted, it would be a good idea to change it and perhaps any other accounts that may use that same password.

 

Leak Check

If you’re curious to see if your password was on the list, first change your password by signing on directly to your LinkedIn account, then check out a site, LeakedIn.org. The page was created by a group of developers and concerned users called Fictive Kin & Friends, one of whom was a victim, as a service to determine if you were one of the folks on the list.

It’s a single page site. All you have to do is type in your password. Or, if you are a little more technical, you can type in you SHA-1 hash, the encrypted code of your password, then hit “Check”. (Disclaimer: Of course you are using the site at your own risk, thus changing your password before starting is a good idea.)

Earlier today, I tried it. As luck may have it, I was not one of the unfortunate. Hope you’re not one too.

In any case, it’s probably not a bad idea to change passwords frequently and avoid using the same one you use elsewhere, especially where personal or financial data is concerned.

 

Salt for added Security

It’s interesting to note that while the passwords were encrypted, Thorsheim indicated that they were in a format that was easy to decode, i.e in this case, “unsalted”.

As an added security precaution, LinkedIn has announced on their Blog, that they will be hashing and salting their current database, ie: adding additional encoding and random bits to your encrypted password making it much more difficult to crack.

 

Greg Gazin is the Real Canadian Gadget Guy.

Follow me on Twitter @gadgetgreg or Empire Avenue (e)GADGET1.

Subscribe to the post

1 comment

  1. michellegilstrap | June 6, 2012 at 8:11 pm

    I saw this earlier, thank you for sharing.

Leave a comment

 characters available