LinkedIn passwords stolen.
Passwords for LinkedIn and dating site eHarmony have been published on a Russian hacker’s website. The passwords are encrypted, but hackers are being invited to help decipher them. More than 6m LinkedIn passwords and about 1.5m eHarmony passwords have reportedly been published.
The company did not offer any information about how the passwords were stolen or the extent of the damage, but it said it is “continuing to investigate” the matter. It is not clear whether any accounts have actually been broken into, only that the passwords have been published – but it is clear not all passwords have been compromised. LinkedIn has said it will inform those account holders who do have passwords on the list, and that these people will currently be unable to log in to the site. Rather than wait for an email it would be wise to check yours sooner rather than later. You can also check by typing it into this website.
The 6.5 million leaked passwords were posted Monday on a Russian online forum, camouflaged with a common cryptographic code called SHA-1 hash. It’s a format that’s considered weak if added precautions aren’t taken. Roughly half of the “hashed” passwords have already been decoded and posted online in human-readable text.
Several security researchers tweeted Wednesday that they have found their passwords among those that were revealed. Web security firm Sophos said it matched many of its researchers’ own passwords that are used exclusively on LinkedIn.
Countless passwords on the list contain the word “linkedin.” On a popular hacker forum, many reported finding passwords such as “linkedout,” “recruiter,” “googlerecruiter,” “toprecruiter,” “superrecruiter,” “humanresources” and “hiring.”
There’s good news and bad news about this break-in.
The good news is that so far, no user names have been discovered in the list. It’s highly recommended that you change your password, but after that you should be okay. When setting your new password, choose one that is different from passwords for other websites you use. Neil Munroe, chair of the Identity Fraud Communications Awareness Group, says: “Many people will initially think it’s not a big concern because they don’t use LinkedIn for financial transactions. But the reality is that often they use the same username and password for many of their other online activities as they do for LinkedIn.”
The bad news is that LinkedIn was using an outdated form of cryptography to secure its users’ private information. The company should have known better than to guard its lists with just SHA-1, experts say.