LinkedIn Password Breach Affects Millions

By Samuel Greengard

The security hits just keep on coming. On Wednesday, socialmedia service LinkedIn confirmed reports that the service had been hacked andapproximately 6.5 million user passwords had been stolen. "We can confirmthat some of the passwords that were compromised correspond to LinkedInaccounts," wrote LinkedIn director Vicente Silveira in a blog post.

Yet, remarkably, LinkedIn did not post a banner or alert onthe site to warn its users. Presumably, they had to find out about the breachvia the news media, colleagues or other sources.

Members with accounts affected by the breach will find thattheir passwords no longer work. LinkedIn has invalidated these passwords, andthe company will send out instructions–without a link–on how to reset thepasswords, Silveira noted. Those affected will also receive a second e-mailfrom the company’s customer service department providing more information aboutthe event?as well as about security best practices.

Aaron Higbee, CTO and co-founder of PhishMe, stated in ablog post on Wednesday that forcing those with compromised accounts to resettheir passwords is the right approach. On the other hand, if LinkedIn hadfollowed in the footsteps of Internet retailer Zappos and allowed users to loginto accounts and reset passwords on their own, a full-fledged disaster couldhave ensued, he said.

Security firm ESET reports that the hack appears to haveoriginated in Russia, and the passwords, posted on the Internet by the hackeras proof of the breach, appeared in the encrypted (secure hashed algorithm)SHA1 format that LinkedIn used for its database.

Particularly disturbing, notes Cameron Camp, securityresearcher at ESET, is the fact that "people put real professionalinformation on the site. It’s not just what party they plan on attending."Moreover, LinkedIn "has the aggregate effect of garnering a form of peerreview on what you post about yourself ? mess with somebody’s professionalprofile and you’re messing with their life," he adds.

The security breakdown is also troubling on another level."This breach is significant because it shows that having a strongpassword, though important, is irrelevant if enterprises don’t protect themproperly," states Rob Rachwald, director of security strategy for Imperva."Enterprises must be much more diligent about implementing a strongpassword architecture."

Rachwald recommends that LinkedIn users change theirpasswords immediately–particularly if the same password is used for othersites. He says it’s also critical to be on the lookout for spam and phishingattempts involving LinkedIn. In fact, ESET discovered that one such scam wasalready in circulation by Wednesday afternoon. The email, claiming to be fromLinkedIn, asks recipients to click on a link to confirm their email address.

More importantly, enterprises must use better securitymethods to protect passwords. LinkedIn claims that it has "justrecently" adopted more stringent security procedures, including hashingand salting its user database.

Rachwald says that salting?which "randomly addscharacters to a password so that even if a password database is breached, thecorrect password can’t be accessed"?is an IT best practice that cannot beoverlooked. "Salting, on top of encryption, makes it very hard for ahacker to deduce your password," he says.

Concludes ESET?s Camp: "Users have entrusted LinkedInwith keeping droves of sensitive data and presumed that it was takingcommensurate steps to protect it. This worries some who feel that if LinkedIncan get hacked, who can be safe?