FAQ: LinkedIn breach -- what members (and others) need to know
Tackling user questions on what's known so far on what happened to stolen LinkedIn data, and what can be done about it
By Jaikumar Vijayan
Computerworld - Hackers have apparently accessed close to 6.5 million hashed passwords from a LinkedIn database and posted them and data associated with them online. So far, researchers say, about 60% of the unique passwords in the dump have been cracked and there are signs that the rest will soon be as well.
Here's some information for LinkedIn users specifically, and all Internet users in general.
Earlier this week, a 118MB file containing 6,458,020 hashed password was posted on a Russian hacker forum. The posters said they needed help in cracking the passwords.
Security analysts who inspected the data dump noticed that many of the passwords appeared to be associated with LinkedIn member accounts, which led to the conclusion that all the passwords belonged to members of the social networking site for business professionals. It remains unknown is how the data was obtained, how long the hackers may have had access to it, and what other data might have been accessed.
How has LinkedIn responded publicly to the reports?
The company says it is investigating the incident.
Did the hackers obtain email addresses associated with the passwords?
If User IDs were not obtained what's the big deal?
What does it mean to me?
If your password was compromised, you will not be able to use it to log into your LinkedIn account. LinkedIn has said that it is contacting users whose password has been compromised with instructions on how to reset their password. The company has made clear that the email with instructions on how to reset the password will NOT contain any links. If you have not received an email yet, or if you are still able to access your account using your old password, it means that either your password was not compromised, or that LinkedIn doesn't it yet.
What measures had LinkedIn taken to protect member passwords?
The breached passwords were all masked using a basic hashing algorithm known as SHA-1. Though SHA-1 offers a degree of protection against password cracking attempts, the protocol is by no means foolproof. Numerous password cracking tools tools and tables that contain pre-computed hashes for billions of passwords are easily available. Almost anyone can use these tables to decrypt almost any SHA-1 hash and recover it in plain text in in a matter of minutes. That explains why nearly all of the hashed passwords have been cracked already.
How could LinkedIn have done to protect the passwords better?
How can users be sure that more data was not accessed?
Similarly, it's possible that a lot more than 6.5 million passwords were compromised. LinkedIn has over 100 million members. It's possible that the hackers released the 6.5 million passwords to show they have the goods to anyone interested in purchasing the purloined data from them. LinkedIn can be a goldmine for identity thieves and phishers.
Original appearance at computerworld.com
We combine deep industry, implementation, development, and project management expertise, practical tools, and innovative thinking to catalyze the achievement of your business objectives Read more...