LinkedIn Confirms Password Breach, Phishing Intensifies
As posted on June 7, 2012 on www.informationweek.com
By Mathew J. Schwartz
LinkedIn confirmed Wednesday that it's investigating the apparent breach of its password databases after an attacker uploaded a list of 6.5 million encrypted LinkedIn passwords to a Russian hacking forum earlier this week.
"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts," wrote LinkedIn director Vicente Silveira in a blog post. "We are continuing to investigate this situation."
Security experts have advised all LinkedIn users to change their password immediately. To stay current with the investigation, meanwhile, a spokesman said via email that in addition to updating the company's blog, "we're also posting updates on Twitter @LinkedInNews, @LinkedInIndia, and @LinkedIn."
"We sincerely apologize for the inconvenience this has caused our members," Silveira said, noting that LinkedIn would be instituting a number of security changes. Already, LinkedIn has disabled all passwords that were known to be divulged on an online forum. Anyone known to be affected by the breach will also receive an email from LinkedIn's customer support team. Finally, all LinkedIn members will receive instructions for changing their password on the site, though Silveira emphasized that "there will not be any links in this email."
That caveat is crucial, owing to a wave of phishing emails--many advertising pharmaceutical wares--that have been circulating in recent days. Some of these emails sport subject lines such as "Urgent LinkedIn Mail" and "Please confirm your email address," and some messages also include links that read, "Click here to confirm your email address," that open spam websites.
These phishing emails probably have nothing to do with the hacker who compromised one or more LinkedIn password databases. Instead, the LinkedIn breach is more likely an attempt by other criminals to take advantage of people's worries about the breach in hopes that they'll click on fake "Change your LinkedIn password" links that will serve them with spam.
In related password-breach news, dating website eHarmony Wednesday confirmed that some of its members' passwords had also been obtained by an attacker, after the passwords were uploaded to password-cracking forums at the InsidePro website. Notably, the same user--"dwdm"--appears to have uploaded both the eHarmony and LinkedIn passwords in several batches, beginning Sunday. Some of those posts have since been deleted.
"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected," said eHarmony spokeswoman Becky Teraoka on the site's advice blog. Security experts have said about 1.5 million eHarmony passwords appear to have been uploaded.
Teraoka said all affected members' passwords had been reset and that members would receive an email with password-change instructions. But she didn't discuss whether eHarmony had deduced which members were affected based on a digital forensic investigation--identifying how attackers had gained access, and then determining what had been stolen. An eHarmony spokesman didn't immediately respond to a request for comment about whether the company has conducted such an investigation.
As with LinkedIn, however, given the small amount of time since the breach was discovered, eHarmony's list of "affected members" is probably based only on a review of passwords that have appeared in public forums, and is thus incomplete. Out of caution, accordingly, all eHarmony users should change their passwords.
According to security experts, a majority of the hashed LinkedIn passwords uploaded earlier this week to the Russian hacking forum have already been cracked by security researchers. "After removing duplicate hashes, SophosLabs has determined there are 5.8 million unique password hashes in the dump, of which 3.5 million have already been brute-forced. That means over 60% of the stolen hashes are now publicly known," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. Of course, attackers already had a head start on the brute-force decryption, which means that all of the passwords may have now been recovered.
Rob Rachwald, director of security strategy at Imperva, suspects that many more than 6.5 million LinkedIn accounts have been compromised, because the uploaded list of passwords that have been released is missing 'easy' passwords such as 123456, he wrote in a blog post. Evidently, the attacker already decrypted the weak passwords, and sought help only to deal with more complex ones.
Another sign that the password list was edited down is that it contains only unique passwords. "In other words, the list doesn't reveal how many times a password was used by the consumers," said Rachwald. But common passwords tend to be used quite frequently, he said, noting that in the hack of 32 million RockYou passwords, 20% of all users--6.4 million people--chose one of just 5,000 passwords.
Responding to criticism over its failure to salt passwords--though the passwords were encrypted using SHA1--LinkedIn also said that its password databases will now be salted and hashed before being encrypted. Salting refers to the process of adding a unique string to each password before encrypting it, and it's key for preventing attackers from using rainbow tables to compromise large numbers of passwords at once. "This is an important factor in slowing down people trying to brute-force passwords. It buys time, and unfortunately the hashes published from LinkedIn did not contain a salt," said Wisniewski at Sophos Canada.
Wisniewski also said it remains to be seen just how severe the extent of the LinkedIn breach will be. "It is critical that LinkedIn investigate this to determine if email addresses and other information was also taken by the thieves, which could put the victims at additional risk from this attack."