LinkedIn security breach

LinkedIn Confirms Password Breach

Nearly 6.5 Million May Have Been Compromised

By Tracy Kitten, June 6, 2012. Credit Eligible

    

 LinkedIn has confirmed that a breach of its network compromised passwords associated with accounts. While LinkedIn has not yet confirmed how many passwords were affected, some reports estimate nearly 6.5 million could have been compromised.

In a blog LinkedIn posted and updated June 6, the social network, which has about 150 million users, says it is continuing to investigate the hack and is notifying affected LinkedIn members about the next steps they should take to ensure their accounts' security.

"Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid," the blog reads. "For security reasons, you should never change your password on any website by following a link in an e-mail."

News of a possible data breach was made public during the late morning EDT of June 6, when reports from numerous sources suggested hackers had accessed nearly 6.5 million LinkedIn passwords.

Norwegian IT security blogger Per Thorsheim, on his Twitter account, notes that many people confirmed their unique passwords had been leaked or stolen.

Reports posted on the The Verge website early in the day claimed a user had uploaded hashed passwords to a Russian online forum, but no usernames were disclosed.

Seth Hanford, operations team lead for Cisco's IntelliShield, says in a blog he posted June 6 that he obtained a copy of the hash list. He then produced an SHA-1 hash of his LinkedIn password, revealing how easy it would be for any hacker who obtains the list to break the code.

Hanford says he also tested hashes posted by other security pros on Twitter and was able to reveal their passwords as well.

"Given the nature of my own password (16 random characters comprised of A-Z, a-z, and 0-9) the likelihood that my SHA-1 hash of my password (that was unique to LinkedIn) would be present in a file that did not come (at least in part) from a source that had access to hashes of LinkedIn passwords is statistically impossible."

Graham Cluley, a senior technology consultant at Sophos, writes in his blog that Sophos researchers confirmed the leaked list does contain, at least in part, LinkedIn passwords. "A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the Internet, and hackers are working together to crack them," Cluley says. "Although the data which has been released so far does not include associated e-mail addresses, it is reasonable to assume that such information may be in the hands of the criminals."

Concerns Identified

Jim Van Dyke, founder and president of Javelin Strategy & Research, says concerns about the connection between fraud and LinkedIn were identified in 2011, while Javelin was collecting fraud data for its 2012 Identity Fraud Survey Report.

"We did find a higher correlation between users of particular social media sites and actual fraud victims," Van Dyke says. "LinkedIn users actually had one of the highest correlations to fraud."

Javelin determined that LinkedIn users are more likely to be victims of fraud than users who don't have LinkedIn accounts. "We are not saying that LinkedIn is causing fraud; rather, we are saying that there is an inarguable correlation in the data, which could be caused by several things," Van Dyke says.

Some of those reasons could stem from the fact that fraudsters use LinkedIn to gather personal information about business professionals so that they can more easily create false identities. Or, the correlation could be related to the fact that LinkedIn users have higher average incomes than non-LinkedIn users.

"We do know that people with more income are more likely to be fraud victims," Van Dyke says. "Either way, if you use LinkedIn, you need to take extra precautions."