Millions of LinkedIn passwords have been stolen

If you have a LinkedIn account, you may want to change your password ASAP. ZDNet.com reports that over 6.4 million passwords from the business-themed social networking service have reportedly been stolen by a unnamed person or persons and posted on a Russian language forum.

According to the story, the passwords posted on the message boards were hashed. However, it also claims that over 300,000 of the weaker passwords have already been hacked. Other hackers have been brought in to try to discover the remaining passwords.

The Finland security firm CERT-FI also claims that this password dump could also include a list of LinkedIn user emails, although it appears they are still encrypted.

LinkedIn's Twitter page has been updated this morning with the message, "Our team is currently looking into reports of stolen passwords. Stay tuned for more." The stock price for LinkedIn, which went public in 2011, has gone down today after these new reports came to light.

The ZDNet.com report points out that LinkedIn has a total of over 150 million users worldwide. So even if over 6 million passwords have been stolen from the company's servers, it would still affect less than 10 percent of its members.

Source: ZDNet

Report a problem with article
Previous Story

E3 2012: E3 Booth Babes - Day 2

Next Story

E3 2012: We chat with Novacore Studios about Legends of Pegasus

39 Comments

Commenting is disabled on this article.

This is why when I do authentication methods for my sites that I use a system that hashes (with salts) usernames and passwords 15 times before encrypting said hashes with AES. In the event of a DB breach all you'd get is a users table full of 256 byte strings.

Now that may be a bit overkill, but it surely would have prevented something like this from being a big deal.

Linkedin is just another one of those absolutely stupid sites that should be against the law just like Facebook, Twitter, and MySpace type sites!!

shinji257 said,
Good thing I didn't have an account at that site. I know there are a few others that did though.

so what if you did have an account with them? I would hope you are using different passwords across the web and not the same one. In this case they would have hopefully gotten the password just for linked in and that password would not have worked on any of your other accounts.

warwagon said,

so what if you did have an account with them? I would hope you are using different passwords across the web and not the same one. In this case they would have hopefully gotten the password just for linked in and that password would not have worked on any of your other accounts.

I guarantee you that 99% of users re-use passwords. It cannot be any different. I personally tried using KeePass. I had to maintain 40-50 passwords and go to KeePass every time I wanted to log at a forum. It's such a hassle that I gave up.

What is reasonable and what I do now is that I have a few unique passwords for critical sites - e.g. e-mail, banking, etc. and then I re-use passwords when I deal with sites where I don't care whether I can get hacked or not (such a Neowin :-).

Breach said,

I guarantee you that 99% of users re-use passwords. It cannot be any different. I personally tried using KeePass. I had to maintain 40-50 passwords and go to KeePass every time I wanted to log at a forum. It's such a hassle that I gave up.

What is reasonable and what I do now is that I have a few unique passwords for critical sites - e.g. e-mail, banking, etc. and then I re-use passwords when I deal with sites where I don't care whether I can get hacked or not (such a Neowin :-).

That re-used password can be made much more secure. just append it with the domain name of the site you're trying to login. just remove the vowels.
for example, if you normally use "Jellylegs" for your neowin password, simply use "Jellylegsnwnnt". You'd then "Jellylegsfcbkcm" for facebook, "Jellylegssnwscm" for osnews etc. all different, yet the same to you. Feel free to mix and match the way you make them unique.

UPDATE:

We want to provide you with an update on this morning's reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:

Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.

These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.

These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.

It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.

We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously, if you haven't read it already it is worth checking out my earlier blog post today about updating your password other account security best practices.

http://blog.linkedin.com/2012/...mber-passwords-compromised/

-Alex- said,
enhanced security we just recently put in place, which includes hashing and salting of our current password databases.

Industry best practices and common sense = "enhanced security"?

billyea said,

Industry best practices and common sense = "enhanced security"?

As "enhanced" is a relative term, yes

Breach said,
How about a statement that they had identified the attack vector and plugged the hole?

I'm sure they're moving their database servers out of the DMZ as we type

Breach said,
How about a statement that they had identified the attack vector and plugged the hole?

but that would mean actually doing something smart

Mike Frett said,
And you people still trust the 'Cloud'? lol.

The cloud is fine as long as you aren't an idiot and use the same password for every website, thus having a single point of failure!

I was wondering what was up when I checked my mail yesterday and received 1 password reset e-mail and 3 request from random people to join their network

Just checked what my password was. It looked something like adf;lkj3r98uwer. Still going to change it. But at least it's different from all my others.

Close to leaving that site since I've had to block their domain from spamming me after I've turned off all email settings on their site. I think this will be the final nail in the coffin for me with them...

Teebor said,
<le sigh> and I just got finished memorizing my new passwords from the last round of this happening

last pass...one pass and you're good.

Why are so many companies, small and large, storing passwords in such a insecure manner. I am a web developer full-time and when I started all passwords were stored PT, now usernames are stored separate from passwords and have no DB relationships you need to know and understand our internal structure to match it and passwords are behind sha-512 and salted. I have been making the push to sha and salt our usernames and add sha and salted junk data just for added security.

kkick said,
Why are so many companies, small and large, storing passwords in such a insecure manner. I am a web developer full-time and when I started all passwords were stored PT, now usernames are stored separate from passwords and have no DB relationships you need to know and understand our internal structure to match it and passwords are behind sha-512 and salted. I have been making the push to sha and salt our usernames and add sha and salted junk data just for added security.

Doesn't matter whether you use SHA-512 or MD4 - they are brute forcing with a dictionary - if they manage to crack 15% of the user base that uses password123 it's good enough for them.

Breach said,

Doesn't matter whether you use SHA-512 or MD4 - they are brute forcing with a dictionary - if they manage to crack 15% of the user base that uses password123 it's good enough for them.

That's why he said SHA-512 and salted...

Breakthrough said,

That's why he said SHA-512 and salted...

My bad. Then again, seriously, unsalted hashes for passwords? Seriously? This also means they have same hash collisions.

" So even if over 6 million passwords have been stolen from the company's servers, it would still affect less than 10 percent of its members."

Oh, that's all right then. Less than 10%? No need to worry about it.

mrbester said,
" So even if over 6 million passwords have been stolen from the company's servers, it would still affect less than 10 percent of its members."

Oh, that's all right then. Less than 10%? No need to worry about it.


i may affect less than 10%, but just how many of those 6 million use the same password for everything else.

MrXXIV said,
I think most companies worry about the Front-End a lot more than they should.

Actually you can't never worry about your front end too much. But you can worry about your back end too little is the problem. Their front end isn't anything spectacular anyways. You would expect a more secure platform in the back.

Obry said,

Actually you can't never worry about your front end too much. But you can worry about your back end too little is the problem. Their front end isn't anything spectacular anyways. You would expect a more secure platform in the back.

Worrying about the back end requires real money be shelled out for proper IT. Guess who made the decision not to spend what was necessary? Not the IT people I assure you. 8)

Rudy said,
Now the question is if their passwords are salted (maybe a bit of pepper too?)

No, they're not. From other sources, it seems that they're unsalted SHA-1 hashes.

keyboardP said,

No, they're not. From other sources, it seems that they're unsalted SHA-1 hashes.

Words cannot express my disappointment with an essential security practice here. I don't know if I'm more pi$$ed that I have to change all my passwords because of LinkedIn (I usually change them periodically, but still), or that they didn't take the extra 5-10 minutes to add in a salting feature to their password storage/verification routines.

Unless they were concerned about the overhead (derp). Can't worry about security when we have users that want PERFORMANCE!!!

Breakthrough said,

Words cannot express my disappointment with an essential security practice here. I don't know if I'm more pi$$ed that I have to change all my passwords because of LinkedIn (I usually change them periodically, but still), or that they didn't take the extra 5-10 minutes to add in a salting feature to their password storage/verification routines.

Unless they were concerned about the overhead (derp). Can't worry about security when we have users that want PERFORMANCE!!!

oooh shame on you, using the same password are we between sites?

Breakthrough said,

Words cannot express my disappointment with an essential security practice here. I don't know if I'm more pi$$ed that I have to change all my passwords because of LinkedIn (I usually change them periodically, but still), or that they didn't take the extra 5-10 minutes to add in a salting feature to their password storage/verification routines.

Unless they were concerned about the overhead (derp). Can't worry about security when we have users that want PERFORMANCE!!!

It seems like they've decided that the performance hit isn't too big a deal since they've now salted their database. Shame it was a reactive measure rather than proactive.

butilikethecookie said,
What's up with all these companies being hacked lately? They need to fire their IT department and hire me!

It is more like "what's up with the lazy programmers that they hired to store password without salt.."

Setting up Sha1 with Salt is relatively easy. And switching from Sha1 to Sha256 is truly a piece of cake

TRC said,
Just another reason to avoid this "cloud computing" nonsense.

Unnamed bystander: "What's up with all these new fangled automobile crashes?"
TRC: "Just another reason to stick with the horse and buggy."

Sheesh.