The Verge broke news this morning that a Russian hacker has
downloaded login credentials for almost 6.5 million LinkedIn accounts. To prove
his claim, the hacker posted a list of the 6,458,020 hashed passwords on a
Russian forum site. While there is currently
no confirmation that usernames have also been stolen, security experts are
saying it’s very likely. At this point, it’s been reported that about 200,000
of the hashed passwords have been cracked.
Update: LinkedIn has confirmed the theft of user data and has automatically changed the passwords associated with the leaked accounts. The LinkedIn blog provides further details.
Furthermore, users have reported via Twitter that they’ve
found their own password on the list, making it all the more likely that the
list is real.
We spoke with Mikko Hypponen, Chief Research Officer at F-Secure, who thinks this is “a real collection.” He told us he is “guessing it’s some sort of exploit on their web interface, but there’s no way to know. I am sure sure LinkedIn will fill us in sooner or later.” [The Verge]
Since we simply cannot confirm the legitimacy of the list,
we’re recommending that users change their LinkedIn passwords immediately.
As we mentioned above, the passwords on the lists were
stored as unsalted SHA-1 hashes, not actual passwords. SHA-1 is an algorithm
that changes passwords into combinations of letters and numbers. “SumRando” fed
through an SHA-1 algorithm becomes “ebc26281d960110b8111d3a78889b05fc50e0a8b”,
unfortunately, without salting (basically another round of encoding) it’s quite
easy to decode the hashes to the original data.
According to LinkedIn’s Twitter feed, the company is not yet
confirming the breach.
No comments:
Post a Comment