The breach highlights the increasingly critical need for users to not share passwords among websites and to attempt to create unique, non-intutitive passwords when setting up accounts.
At first, LinkedIn could not confirm or deny the breach, but has issued a statement via Twitter claiming it is looking into it.
UPDATE: LinkedIn has confirmed the breach, and users with affected passwords have had their login reset, more details can be found here.
What is allegedly an untranslated list of hashed passwords for LinkedIn accounts is still available online for public download on the Russian site Yandex, and possibly other sites. It does not directly reveal passwords to the compromised user accounts, rather it provides other crackers raw encrypted passwords for translation using rainbow tables and various other “hash” translation tools.
While virtually all professional public websites use some version of unique password encryption called “hashing” to protect user passwords, the common length encrypted letter/number object database technology has become increasingly compromised by the use of rainbow tables in recent years, which store common passwords in hash format for quick pattern matching via simple web interfaces or server-to-server scripts.
Normally, this sort of list indicates a criminal action rather than an activist effort because direct access to the matched user names remains limited to the original crackers. However, because LinkedIn account policy strictly uses an e-mail address as part of the sign in credentials – this breach becomes much more serious.
A motivated hacker can use a hash list to “brute force” accounts on LinkedIn and elsewhere where a password and e-mail is shared between LinkedIn and other accounts, like for example, Facebook or Twitter. Moreover, crackers would also have direct access to any site that allows users to sign in using their LinkedIn account.
The breach was first reported by Norweigan IT site dagensit.no and confirmed on twitter by Per Thorsheim, noted European Security expert.
Appearently, the crackers posted a request for assistance with the hashed list of passwords to a Russian cracker site two days ago and dagensit.no is reporting that over 236,578 passwords had been translated by this morning.
As a result, Finnish Security site Cert-FI has confirmed the breach and recommends that users change their passwords on LinkedIn and any other account which shares the e-mail address and password combination.
WHAT TO DO:
Changing your LinkedIn password is pretty simple and doesn't require an immediate confirmation. Here’s how:
- Login to http://LinkedIn.ca
- Hover your mouse over your name on the upper right hand corner of the site page
- Click on link 'settings' from the drop down menu
- Click on 'Account' link on the lower left and corner of the resulting page
- Finally – click on 'change password' under Email and Password menu ..
- Enter your old password and then your new password where indicated.
Make note of your new password and then repeat the process on any site where you have used the same password and e-mail combination. There is no need to change your e-mail address at this time.
Following a 20 year career pioneering digital publications, B2C/B2G/B2B e-commerce and high security mobile solutions both in Canada and abroad – Jon Blanchard spent the last 6 years as Webmaster with the Halifax Herald family of companies.