LinkedIn Confirms Member Passwords Breach; How To Check If Yours Is Among The Leaked Ones

Multiple reports surfaced Wednesday about a possible LinkedIn security breach after a user in a Russian forum claimed to have hacked almost 6.5 million accounts in the professional social network. The user reportedly uploaded 6,458,020 hashed passwords with no usernames.

Though LinkedIn was unable to prove any security breach initially, it came up with the confirmation later with a post on its blog. However, the company hasn't yet confirmed the number of accounts that were compromised.

According to LinkedIn director Vicente Silveira, the compromised accounts were no longer valid and affected users would receive an email from LinkedIn, instructing them how to reset their passwords. However, it seems that the password reset procedure is not a usual one as the email that affected users would be receiving won't contain any links to the website.

Users will receive yet another email after that from LinkedIn's customer service department explaining the circumstances behind the security breach.

Take a look at the full text of LinkedIn's blog post below:

We want to provide you with an update on this morning's reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:

1. Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.

2. These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.

3. These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.

It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases. We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously, if you haven't read it already it is worth checking out my earlier blog post today about updating your password other account security best practices.

Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals, said Graham Cluley of the British security firm Sophos in a blog post. Hence, it would seem sensible to suggest to all LinkedIn users that they change their passwords as soon as possible as a precautionary step.

Cluley recommended users to ensure that the password they use on a website is not used on another one. There should be different passwords for different websites and should be hard to crack.

According to Jim Walter of the McAfee Threat Intelligence Service, the LinkedIn security breach is a good reminder to all internet users on the importance of maintaining an ever-changing and complex password. Walter said that a secure password could be the only thing standing between the user's personal data and the hackers, AFP reported.

How To Check For Compromised LinkedIn Passwords

As noted by The Verge, security researcher Steve Gibson highlighted a website that could check if a user's password is on the list of stolen hashes.

LeakedIn can check if a user’s password is on the list of stolen hashes. Photo: LeakedIn

The website, named LeadkedIn, asks you to provide your password or a SHA-1 hash of the password, which they hash with JavaScript; view source to verify.

LeakedIn changes a user's clear-text password into its matching cryptographic representation using the SHA-1 algorithm. It converts the password in the browser using JavaScript and does not pass on the password to other places, LeakedIn's developer Chris Shiflett wrote on his blog.

I discovered that my password was not only one of the 6.5 million that had been leaked, it was also among those that had been cracked. I was a victim, Shiflett wrote.

According to a report by PC World, password hashes can be converted to plain-text with help of powerful graphics processors and free password cracking tools like John the Ripper, which can be used with a regular PC and oclHashcat.

The reported referred to a blog post written by Robert David Graham, CEO of the security consultancy Errata Security, who said that each letter of a password had 100 possible combinations composed of upper or lower case, digits or symbols. So how fast can hackers crack passwords?

Graham explained:

A 5 letter password therefore has 100 x 100 x 100 x 100 x 100 or 10 billion combinations, meaning it can be cracked in 5 seconds. A 6 letter password has 100 times that, or 500 seconds. A 7 letter password has 100 times that, or 50,000 seconds, or 13 hours. An 8 character password is roughly 57 days. A 9 character password is 100 times that, about 15 years. In other words, if your password was 7 letters, the hacker has already cracked it, but if it's 9 letters, it's too difficult to crack with brute force.

More Salt Required?

Reuters reported that at least two security experts, who inspected the files containing the LinkedIn passwords, said the company had failed to take best measures to protect the data.

According to the experts, LinkedIn used a basic technique for encrypting (or scrambling) the passwords, allowing hackers to unscramble all passwords fast after they discovered the formula used to encrypt any single password.

The social network could have made it extremely tedious for the passwords to be unscrambled by using a technique known as 'salting', which means adding a secret code to each password before it is encrypted, said the report.

Must Read: Samsung Galaxy S3 Sales Could Be Banned In US If Apple Wins Latest Lawsuit Over Violating Siri Patent