LinkedIn confirms that posted passwords are of its members

Share this article:

One of the largest social networks on the web has confirmed that passwords of its users have been stolen.

Someone on a Russian forum dumped what is believed to be 6,458,020 encrypted LinkedIn passwords online, according to a report by TheVerge.com.

After the company investigated the reports, Vicente Silveira, director of engineering at LinkedIn, revealed in a blog post that passwords were indeed compromised. It is unclear how the hackers swiped the data.

“We want to provide you with an update on this morning's reports of stolen passwords,” Silveira wrote. “We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts.”

The company is posting updates on Twitter, and it released an additional blog post detailing general security recommendations that users should employ, including frequently changing one's password and ensuring it is difficult to guess.

Although the passwords leaked were encrypted, Todd Thiemann, senior director of product marketing at security firm Vormetric, said there are techniques and cracking technologies that miscreants can use to unscramble them relatively easily.

Belonging to more than 150 million members, ranging from top-level enterprise executives to recent college graduates, the LinkedIn passwords were camouflaged using the SHA-1 algorithm, a cryptographic hash function created by the National Security Agency.

Even though the passwords were cloaked, Thiemann said LinkedIn didn't take any additional steps to further secure them. Salting, randomly appending the string of characters in each password, is considered a security best practice and could have made it more difficult for attackers to decode them, he said.

“Salting adds additional security to what is out there, but they did not salt,” Thiemann told SCMagazine.com Wednesday.

Thiemann advised users to change their passwords so they consist of a combination of letters, numbers and symbols.

According to Silveira's blog post, LinkedIn has “recently put in place” tighter security measures for password protection that includes salting the current database.

The accounts of users whose passwords have been comprised will receive instructions from LinkedIn on how to reset them, according to the blog post.

This is the second security debacle that the business-networking website has faced this week. News of the stolen passwords follows a discovery by mobile researchers at Skycure Security that the company's iPhone/iPad app transferred information from one's iOS device back to LinkedIn servers in clear text.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.