6.5 million hashed LinkedIn passwords posted online

News by Dan Raywood

Around 300,000 LinkedIn user passwords may have been cracked after a hash containing 6.5 million passwords was posted online.

Around 300,000 LinkedIn user passwords may have been cracked after a hash containing 6.5 million passwords was posted online.

At present, the social network has said that its team "is currently looking into reports of stolen passwords". The passwords do not correlate to user accounts but users have been encouraged to change their passwords.

The Finnish computer emergency readiness team (CERT-FI) said that some of the 'seals' have been cleared, but it warned that cyber criminals may be in possession of the rest of those.

According to Mashable, the passwords are encrypted with the SHA-1 cryptographic hash function, but they are stored as unsalted hashes, making it much easier to decipher them using pre-computed rainbow tables.

LinkedIn offered another update, saying that it was continuing to investigate this issue but was "still unable to confirm that any security breach has occurred".

Rob Cotton, chief executive at NCC Group, said: “This is a timely reminder of the importance of good password practice. Duplication is a foolish habit; if a password is cracked through one site, it can then be cross-checked against others, and those whose LinkedIn password is the same as their bank account or business login details are putting themselves, and their companies, at serious risk.

“These leaked passwords are also apparently seven or eight months old – a clear message of the importance of changing a password regularly. These are simple online security lessons that have a big impact.”

Orlando Scott-Cowley, security expert at Mimecast, said: “While a data leak of this kind would be very worrying for individuals, a security issue with LinkedIn could also be very potentially damaging for businesses. With many users seeing the site as an extension of their business communications, rather than as a personal tool, employers need to be aware of the possible threat to corporate data that a LinkedIn breach could represent.”

In a later update, LinkedIn director Vicente Silveira confirmed that some of the passwords did correspond to LinkedIn accounts.

He said: “We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts: members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid; these members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.

“These affected members will receive a second email from our customer support team providing a bit more context on this situation and why they are being asked to change their passwords.

“It is worth noting that the affected members who update their passwords and members, whose passwords have not been compromised, benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.”

He concluded by "sincerely apologising for the inconvenience this has caused".


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews