On June 5, career-themed social networking site LinkedIn fell victim to a hacker that resulted in more than 6 million user passwords leaked. Now those same hackers have moved to the online social-dating scene, acquiring passwords to eHarmony.
After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected, eHarmony's Becky Teroka wrote on the company's blog on the night of June 6. The Los Angeles Times reported that 1.5 million passwords were stolen, and provided a screenshot of the website used by the hacker to compile lists of stolen passwords.
The website, known as insidepro.com, contains cracked passwords of almost 6.46 million users in total, organized in two large lists. Rick Redman, a security consultant specializing in password cracking, confirmed to ArsTechnina that the list belongs to LinkedIn users after finding a password that was unique to the social networking site.
My LinkedIn password was in it and mine was 20 plus characters and was random, Redman said to Ars Techina.
The smaller list, which contains 1.5 million passwords, belongs to eHarmony users. This was found based on the plaintext of passwords that have been cracked so far. According to Ars Techina, at least 420 of the passwords in this list contain the strings harmony or eharmony. However, these hashes found on the list do not contain the corresponding login names, making it impossible for anyone to use them to gain access to a particular user's account.
But it's safe to assume that information is available to the hackers who obtained the list, and it wouldn't be a surprise if it was also available in underground forums, warns Dan Goodin of the tech news website.
The hacker posted the list of hashed passwords and asked for help from other peers to successfully crack them. These passwords were not salted, which is an extra security measure that can be added in addition to hashing passwords. Ars Techina reported that only $98,000 of the stolen passwords remain secure.
Many of the passwords that had been leaked contained a mix of upper and lowercase letters, which indicates that they were chosen by people accustomed to following policies enforced in larger businesses.
These are business people, so a lot of them are doing it like they would in the business world, Redman said to Ars Techina after examining the passwords. They didn't have to use uppercase, but they are. A lot of the patterns we're seeing are the more complicated ones. I cracked a 15-character one that was just the top row of the keyboard.
Users are advised to change their passwords for both LinkedIn and eHarmony, and to create a new password if the same one is used for other sites.