Thursday, June 07, 2012

LinkedIn Password Breach What You Need To Know

LinkedIn has confirmed that hackers have gained access to some of the social network's passwords. While all these passwords were protected by SHA-1 encryption, hackers have been able to crack that encryption and have now been posting the exact passwords and logins of some of the 6million or so users that were affected.

"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts," LinkedIn director Vincente Silveira wrote in a blog post. "We are continuing to investigate this situation."

By now affected members should have received an email with instructions on how to reset their passwords; as their current passwords will not work. They will also receive an email with more information on what happened. The catch is that now, we are seeing an influx of spam and other malicious emails trying to trick seemingly unaffected users into clicking malicious links so that phishers can steal their passwords. So users need to be vigilant, that those official looking LinkedIn emails may not be the real thing.

You should go directly to the LinkedIn home page to change any login information and verify that the page is secure with an HTTPS url. Do not BLINDLY click links in any emails you receive!

Was my LinkedIn account breached?

The company did not confirm how many passwords were involved, though it reportedly affected about 6 million (some reports suggest 8 million passwords could have been compromised) of LinkedIn's 161 million users. In previously reports it was said that a user in a Russian forum uploaded as many as 6,458,020 hashed LinkedIn passwords and that those passwords have since been deciphered. LinkedIn has not yet confirmed that usernames and/or emails were part of the breach but it is safe to assume that there is a very good likely hood that they were. So whether you, received an email from LinkedIn or not you should change your password just in case.

Password management firm LastPass created a password checker tool for LinkedIn, and one for eHarmony. LastPass will run your password against the database of leaked passwords, and see if they can find a match. It will alert you even if your password has not yet been cracked. If it shows your password as being on the list then you'll need to take the steps to change your LinkedIn password but even if it doesn't I strongly suggest you do so no matter what.

What has been leaked?

As of right now LinkedIn is not confirming any other details of the breach. So it isn't certain if user information, emails or anything else was leaked. The database that was breached likely only contained usernames and passwords, making it unlikely that the hackers obtained any personal information about the affected LinkedIn users. Honestly though, until LinkedIn completes their investigation into the breach we just don't know.

LinkedIn Spam and Phishing

The New York Times is reporting that criminals are already using the lifted LinkedIn accounts to send emails to others. The emails ask people to click on a link to "confirm" their email address, when in fact the links take users to scam websites.LinkedIn denied these claims and said it had not received "verified reports of unauthorized access" to its users' accounts. So far there is no true connection to the data breach since these are similar emails to on-going phishing scams.

"Because similar e-mails have been circulating for some time, it is hard to say if this is an example of a coordinated scam designed to leverage the security breach made public [Wednesday], or simply a coincidence (like getting a phishing e-mail asking you to reset your Bank of America online banking password two days after you opened an account there)," Cameron Camp, a security researcher at Eset, wrote in a company blog.

Aware that clicking on links in e-mails is a bad security practice, LinkedIn is using a two-step process. Users affected by the breach first receive an e-mail without any links in it. It informs the member that they must reset their password and provides them with steps for doing so. After completing those steps and requesting password assistance, the member will receive a second e-mail with a password reset link.

"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," LinkedIn’s director, Vicente Silveira, wrote in a company blog.

More than just LinkedIn has been affected!

Popular dating website eHarmony and the British-based music site have also confirmed data breaches stating that some of their user accounts were also compromised and urged members to change their passwords. It's currently unclear how the breaches are related and few details have been offered about the attack itself, with the companies saying they are continuing to investigate the situation. users can switch their passwords by logging in and accessing the "Settings" page, or by reporting their password as lost. In the site's announcement, re-emphasized these are the only means for password changes: "We will never e-mail you a direct link to update your settings or ask for your password."

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you