LinkedIn: Hashed Passwords BreachedNearly 6.5 Million May Have Been Compromised
LinkedIn has confirmed that a breach of its network compromised hashed passwords associated with accounts. While LinkedIn has not yet confirmed how many passwords were affected, some reports estimate nearly 6.5 million could have been compromised.
See Also: Autonomous Response: Threat Report
In a blog LinkedIn posted and updated June 6, the social network, which has about 150 million users, says it is continuing to investigate the hack and is notifying affected LinkedIn members about the next steps they should take to ensure their accounts' security.
"Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid," the blog reads. "For security reasons, you should never change your password on any website by following a link in an e-mail."
News of a possible data breach was made public during the late morning EDT of June 6, when reports from numerous sources suggested hackers had accessed nearly 6.5 million hashed LinkedIn passwords.
Reports posted on the The Verge website early in the day claimed a user had uploaded hashed passwords to a Russian online forum, but no usernames were disclosed.
Seth Hanford, incident manager for Cisco's Product Security Incident Response Team, says in a blog he posted June 6 that he obtained a copy of the hash list. He then produced an SHA-1 hash of his own LinkedIn password.
"I produced a SHA-1 hash that revealed how easy it was to confirm that my LinkedIn password hash was among those found in the list," Hanford says. "At no time did I reveal any passwords. I could, with time, but that's not what I was confirming."
Hanford says he also tested hashes of LinkedIn passwords posted on Twitter by other security pros and was able to confirm, through their claims, that their LinkedIn hashes were likely compromised as well.
"Given the nature of my own password (16 random characters comprised of A-Z, a-z, and 0-9) the likelihood that my SHA-1 hash of my password (that was unique to LinkedIn) would be present in a file that did not come (at least in part) from a source that had access to hashes of LinkedIn passwords is statistically impossible."
Graham Cluley, a senior technology consultant at Sophos, writes in his blog that Sophos researchers confirmed the leaked list does contain, at least in part, hashed LinkedIn passwords.
"A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the Internet, and hackers are working together to crack them," Cluley says. "Although the data which has been released so far does not include associated e-mail addresses, it is reasonable to assume that such information may be in the hands of the criminals."
Jim Van Dyke, founder and president of Javelin Strategy & Research, says concerns about the connection between fraud and LinkedIn were identified in 2011, while Javelin was collecting fraud data for its 2012 Identity Fraud Survey Report.
"We did find a higher correlation between users of particular social media sites and actual fraud victims," Van Dyke says. "LinkedIn users actually had one of the highest correlations to fraud."
Javelin determined that LinkedIn users are more likely to be victims of fraud than users who don't have LinkedIn accounts. "We are not saying that LinkedIn is causing fraud; rather, we are saying that there is an inarguable correlation in the data, which could be caused by several things," Van Dyke says.
Some of those reasons could stem from the fact that fraudsters use LinkedIn to gather personal information about business professionals so that they can more easily create false identities. Or, the correlation could be related to the fact that LinkedIn users have higher average incomes than non-LinkedIn users.
"We do know that people with more income are more likely to be fraud victims," Van Dyke says. "Either way, if you use LinkedIn, you need to take extra precautions."
E-mail Address Exposure: A Big Concern
Aite fraud and security analyst Julie McNelley says the impact of a potential breach of e-mail addresses affiliated with LinkedIn could be bigger than the April 1, 2011, hack that exposed e-mail addresses used by e-mail marketing firm Epsilon.
If business people's e-mail addresses, indeed, are breached, hackers "could do some very targeted phishing attacks with that information," McNelley says. "Those e-mail addresses, coupled with the information that they get from public LinkedIn profiles, gives them a lot of data - enough to wage corporate espionage."
McNelley also says LinkedIn's storing of e-mail addresses and passwords on systems that apparently were not well protected highlights big worries about the ways in which social-networking and e-commerce sites handle and view personal information.