UPDATED 2:15 p.m. PT
LinkedIn Wednesday confirmed that at least some passwords compromised in a major security breach correspond to LinkedIn accounts.
Vicente Silveira, Director at LinkedIn, confirmed the hack on the company’s blog Wednesday afternoon and outlined steps that LinkedIn is taking to deal with the situation. He wrote that those with compromised passwords will notice that their LinkedIn account password is no longer valid.
Silveira added that owners of compromised accounts will receive an email from LinkedIn with instructions on how to reset their passwords. These owners then will get a second email from LinkedIn customer support that explains the situation at greater length.
Silveira also apologized to those affected, saying LinkedIn takes the security of members very seriously.
The business-focused social network had 161 million users worldwide as of March 31.
LinkedIn Security professionals suspected that the business-focused social network LinkedIn suffered a major breach of its password database. Recently, a file containing 6.5 million unique hashed passwords appeared in an online forum based in Russia. More than 200,000 of these passwords have reportedly been cracked so far.
The file only contains passwords hashed using the SHA-1 algorithm and does not include user names or any other data, security researchers say. However, the breach is so serious that security professionals advise people to change their LinkedIn passwords immediately.
It’s unknown at this point how the file ended up on a public forum or exactly which site the passwords originate from; however, signs indicated this is indeed a breach of LinkedIn. Many of the cracked passwords that have been published to the forum have the common term “LinkedIn” in them, Per Thorsheim a security advisor based in Norway, told PCWorld.
While terms such as Facebook, Twitter and other common online networks are almost nonexistent. Thorsheim was one of the first security researchers to discover the leaked password file.
One common way people create passwords for different websites is to add the name of the site into the passphrase, says Thorsheim. So some people may use the password “1234Facebook” for the world’s largest social network, and then “1234LinkedIn” for LinkedIn and so on. With so many occurrences of the term LinkedIn, Thorsheim says, it seems likely these are in fact LinkedIn passwords.
Thorsheim also said he and at least 12 other sources he trusts within the security community have found hashes of their own LinkedIn passwords in the file.
After hearing Thorsheim’s story and using a copy of the leaked password file, I also found the hash for my own LinkedIn password after running my passphrase through an SHA-1 hash generator. However, doing the same operation for the LinkedIn passwords of two other PCWorld writers yielded no results.
What’s a Hash?
An SHA-1 hash is an algorithm that converts your password into a unique set of numbers and letters. If your password is “LinkedIn1234,” for example, the SHA-1 hex output should always be “abf26a4849e5d97882fcdce5757ae6028281192a.” As you can see that is problematic since if you know the password is hashed with SHA-1, you can quickly uncover some of the more basic passwords that people commonly use.
Often, random bits–known as salting–are added to a hash so that the output is harder to guess. But that does not appear to be the case with these leaked passwords.
What’s also troubling security researchers is that the password database contains entirely unique passwords. It’s unclear whether the people who leaked the password file have more passwords that have not surfaced online. The file may, for example, be an attempt to crowd source the hacking of some of the more difficult passwords. It’s also unknown if the suspected attackers have user names or other data tying these passwords to actual users.
Regarding this issue, LinkedIn’s Silveira wrote: “It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.”
However, since 6.5 million unsalted hashes have been exposed it does not matter how long or difficult to guess your password is, Thorsheim says. Anyone whose password has been exposed is at risk. You can change your LinkedIn password and clicking the “change” link next to “Password” just below your profile photo.
This has been a tough week for LinkedIn and security. The Next Web recently reported that an opt-in calendar feature in LinkedIn’s Android and iOS mobile apps was sending user data back to LinkedIn servers as plain text. LinkedIn responded by saying it sends all data back to its servers via an encrypted connection and never saves any user data.
LinkedIn has yet to respond to PCWorld’s request for comment.