One of the largest social networks on the web has confirmed that passwords of its users have been stolen.
Someone on a Russian forum dumped what is believed to be 6,458,020 encrypted LinkedIn passwords online, according to a report by TheVerge.com.
After the company investigated the reports, Vicente Silveira, director of engineering at LinkedIn, revealed in a blog post that passwords were indeed compromised. It is unclear how the hackers swiped the data.
“We want to provide you with an update on this morning’s reports of stolen passwords,” Silveira wrote. “We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts.”
The company is posting updates on Twitter, and it released an additional blog post detailing general security recommendations that users should employ, including frequently changing one’s password and ensuring it is difficult to guess.
Although the passwords leaked were encrypted, Todd Thiemann, senior director of product marketing at security firm Vormetric, said there are techniques and cracking technologies that miscreants can use to unscramble them relatively easily.
Belonging to more than 150 million members, ranging from top-level enterprise executives to recent college graduates, the LinkedIn passwords were camouflaged using the SHA-1 algorithm, a cryptographic hash function created by the National Security Agency.
Even though the passwords were cloaked, Thiemann said LinkedIn didn’t take any additional steps to further secure them. Salting, randomly appending the string of characters in each password, is considered a security best practice and could have made it more difficult for attackers to decode them, he said.
“Salting adds additional security to what is out there, but they did not salt,” Thiemann told SCMagazine.com Wednesday.
Thiemann advised users to change their passwords so they consist of a combination of letters, numbers and symbols.
According to Silveira’s blog post, LinkedIn has “recently put in place” tighter security measures for password protection that includes salting the current database.
The accounts of users whose passwords have been comprised will receive instructions from LinkedIn on how to reset them, according to the blog post.
This is the second security debacle that the business-networking website has faced this week. News of the stolen passwords follows a discovery by mobile researchers at Skycure Security that the company’s iPhone/iPad app transferred information from one’s iOS device back to LinkedIn servers in clear text.