Security professionals suspect that the business-focused social network LinkedIn has suffered a major breach of its password database.
Recently, a file containing 6.5 million unique hashed passwords appeared in an online forum based in Russia. More than 200,000 of these passwords have reportedly been cracked so far. The file only contains passwords hashed using the SHA-1 algorithm and does not include user names or any other data, security researchers say. However, the breach is so serious that security professionals are advising people to change their LinkedIn passwords immediately.
See also: How to change a LinkedIn password
It's unknown at this point how the file ended up on a public forum or exactly which site the passwords originate from; however, signs indicate this is indeed a breach of LinkedIn. Many of the cracked passwords that have been published to the forum have the common term “LinkedIn” in them, Per Thorsheim a security advisor based in Norway, told PCWorld. While terms such as Facebook, Twitter and other common online networks are almost nonexistent. Thorsheim was one of the first security researchers to discover the leaked password file.
One common way people create passwords for different websites is to add the name of the site into the passphrase, says Thorsheim. So some people may use the password “1234Facebook” for the world's largest social network, and then “1234LinkedIn” for LinkedIn and so on. With so many occurrences of the term LinkedIn, Thorsheim says, it seems likely these are in fact LinkedIn passwords.
Thorsheim also said he and at least 12 other sources he trusts within the security community have found hashes of their own LinkedIn passwords in the file.
After hearing Thorsheim's story and using a copy of the leaked password file, I also found the hash for my own LinkedIn password after running my passphrase through an SHA-1 hash generator. However, doing the same operation for the LinkedIn passwords of two other PCWorld writers yielded no results.
What's a Hash?
An SHA-1 hash is an algorithm that converts your password into a unique set of numbers and letters. If your password is “LinkedIn1234,” for example, the SHA-1 hex output should always be “abf26a4849e5d97882fcdce5757ae6028281192a.” As you can see that is problematic since if you know the password is hashed with SHA-1, you can quickly uncover some of the more basic passwords that people commonly use. Often, random bits -- known as salting -- are added to a hash so that the output is harder to guess. But that does not appear to be the case with these leaked passwords.
What's also troubling security researchers is that the password database contains entirely unique passwords. It's unclear whether the people who leaked the password file have more passwords that have not surfaced online. The file may, for example, be an attempt to crowd source the hacking of some of the more difficult passwords. It's also unknown if the suspected attackers have user names or other data tying these passwords to actual users.
If you are a LinkedIn user, security professionals are advising you to change your password immediately as a precaution. Since 6.5 million unsalted hashes have been exposed it does not matter how long or difficult to guess your password is, Thorsheim says. Anyone whose password has been exposed is at risk. You can change your LinkedIn password by following this link and clicking the “change” link next to “Password” just below your profile photo.
This has been a tough week for LinkedIn and security. The Next Web recently reported that an opt-in calendar feature in LinkedIn's Android and iOS mobile apps was sending user data back to LinkedIn servers as plain text. LinkedIn responded by saying it sends all data back to its servers via an encrypted connection and never saves any user data.
LinkedIn has yet to respond to PCWorld's request for comment. But a Twitter account called LinkedIn News says the company is looking into reports of stolen passwords.
The business-focused social network had 161 million users worldwide as of March 31.