After initially pleading ignorance, the professional social network LinkedIn confirmed yesterday that it had been hacked and that the encrypted passwords of at least 6.5 million of its 161 million users had been taken.
According to a story at Cnet, a list of 6.5 million passwords allegedly from LinkedIn was uploaded to a Russian hacker server, after which someone claimed on a Russian forum that he was the one who had hacked into LinkedIn and uploaded the information. LinkedIn was contacted about the claim, and soon said that it was unable to confirm that it had been hacked.
However, as word spread about the alleged hack, experts at the security firms Sophos and Rapid7 announced that that they had confirmed the uploaded list contained the LinkedIn passwords of some of their colleagues.
User names are also suspected of being stolen along with the passwords.
Not long afterwards, LinkedIn confirmed that it had indeed been hacked. According to the story at Cnet:
“LinkedIn encrypted the passwords using the SHA-1 algorithm, but did not use proper obscuring techniques that would have made the password cracking more difficult, said Paul Kocher, president and chief scientist of Cryptography Research. The passwords were obscured using a cryptographic hash function, but the hashes were not unique to each password, a procedure called ‘salting,’ he said. So if a hacker finds a match for a guessed password, the hash used there will be the same for other accounts that use that same password.”
According to this story today at ComputerWorld, some 60 percent of the encrypted passwords have already been cracked and it is likely that the remainder will be shortly. The SHA-1 algorithm has been known to be susceptible to cracking since 2005. Of course, in many cases, LinkedIn users made the job a lot easier by using obvious passwords, such as "linkedin," "password," and "linkedinpassword."
Kocher also was quoted by Cnet as saying that LinkedIn, “did not segregate and manage the (user) data in a way that they would not get compromised.”
LinkedIn for its part has disabled the accounts of those affected, as well as rounded up the usual mea culpas, saying, “We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously.”
In related news, the dating site eHarmony also saw its security breached, possibly by the same hacker. In this case, some 1.5 million out of 20 million passwords were taken and posted on a Russian hacker website. The passwords were encrypted in a similar way to those at LinkedIn, but it is unclear if a more secure encryption approach was used.
eHarmony similarly “deeply regret any inconvenience this causes any of our users.”
Let's hope that "inconvenience"—like getting lots of phishing email asking you to reset your eHarmony or LinkedIn passwords—is the extent of the suffering.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.