LinkedIn investigates leak of 6m passwords
By Nicole Kobie
Posted on 6 Jun 2012 at 16:38
LinkedIn is investigating reports that more than six million passwords have been leaked online.
"Our team continues to investigate, but at this time, we're still unable to confirm that any security breach has occurred," said the social network in a statement. LinkedIn has 161m users worldwide.
Update: LinkedIn has since confirmed "that some of the passwords that were compromised correspond to LinkedIn accounts", and said all passwords for affected accounts have been changed. Any affected users will receive an email from the company with details on how to reset their password.
Security firm Sophos said its own research suggests real passwords are contained in the leaked collection. However, the passwords are protected by hashing, which will make them tougher to crack - unless the password used was a common dictionary word. Other login details, such as email addresses, haven't been leaked.
It's important for LinkedIn users to change their password, especially if they use this password to access other sensitive online sites such as banks
"A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the internet, and hackers are working together to crack them," said Graham Cluley, security consultant at Sophos.
"Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals," he added.
As usual, the advice to LinkedIn users is to change their password. To do this, click the drop-down menu under your name in the top right corner of the site, select Settings and then Account.
"It's important for LinkedIn users to change their password, especially if they use this password to access other sensitive online sites such as banks," said Andy Dancer, CTO of Trend Micro.
He advised against using the same passwords across multiple sites, but admitted that "given the amount of websites people access every day it is becoming increasingly difficult to memorise unique passwords for each site".
Hashed values were not salted
You missed the most unforgivable point about the breach - that none of the passwords were salted individually. This really isn't hard to do but now a huge number of the hashed values have been cracked in one go as opposed to a massive amount of time per password. SHA-1 as opposed to SHA-512 is almost as unforgivable.
By username on 6 Jun 2012
What a bunch of muppets. If they can't keep my data safe, then they don't deserve me as a user.
And, if any of my data gets breached, I shall be suing them.
May be easier to delete your account rather than change the password.
By Steve_Adey on 6 Jun 2012
The advice is to change your password....
However they still haven't found the breach so whats to stop them re-obtaining the new ones!!!
By wes_cov on 7 Jun 2012
"Any affected users will receive an email from the company with details on how to reset their password."
- Ohh no! Spammers across the world quickly send out millions of spam emails linked to viruses
By rhythm on 7 Jun 2012
- Is it worth upgrading a media centre to Windows 8?
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software