Business networking site LinkedIn has
confirmed that over six million hashed user passwords were stolen and published
on a hacker website earlier this month. According to the company, however, most
of the passwords were never decoded, and those that were weren’t successfully
linked with an email address to enable hackers to access user’s accounts.
Business
networking site LinkedIn has confirmed that over six million hashed user passwords
were stolen and published on a hacker website earlier this month
Writing on the company’s blog, LinkedIn
director Vincente Silveira said: “Yesterday we learned that approximately 6.5m
hashed LinkedIn passwords were posted on hacker site. Most of the passwords on
the list appear to remain hashed and hard to decode, but unfortunately a small
subset of the hashed passwords was decode and published.’
Without that link to email addresses,
however, accounts don’t seem to have been compromised. Silveira said the
company had not ‘received any verified reports of unauthorized access to any
member’s account as a result of this event’.
The passwords that had been decoded were
immediately invalidated by the company, and LinkedIn emailed users whose
accounts were affected to explain how to change their passwords.
The same hacker also got hold of passwords
for dating website eHarmony and posted the encrypted versions online. eHarmony
confirmed in a blog post : ‘After investigating reports of compromised
passwords, we have found that a small fraction of our user base has been
affected.’
In a bad week for online security, UK music
and radio site Last.fm reported that its security had also been compromised and
said it was ‘investigating the leak of some Last.fm user passwords’ and ‘asking
all our users to change their passwords immediately.’
eHarmony claimed it had ‘robust security
measures, including password hashing and date encryption, to protect personal
information… we also protect our networks with state-of-the-art firewalls, load
balancers, SSL and other sophisticated security approaches.’
LinkedIn
security
Clearly those security measures weren’t
enough, which is why LinkedIn has been working to improve the security of its
users’ date in recent months. Silveira wrote that the company had already made
the ‘transition from a password database system that hashed passwords, ie
provided an extra layer of protection that is a widely recognized best practice
within the industry.’
But Matasano Security researcher Thomas H
Ptacek, interviewed by blogger Brian Krebs, said it was a ‘misconception’ that
salting would help. ‘The problem is they’re using the wrong kind of algorithm.
They use a cryptographic hash, when they need to use a password hash.’ And
LinkedIn wasn’t alone in this. ‘Nobody gets this right.’
