LinkedIn Password Breach Spawns Spam Campaign

The spam campaign is trying to take advantage of LinkedIn users worried that their passwords were among the 6.46 million stolen

A data breach at LinkedIn, the business-oriented social networking site, has spawned a spam campaign that tries to take advantage of users worried that their passwords were among the 6.46 million posted on the Internet.

The spam campaign uses service messages pretending to be from LinkedIn, but no connection has been established between the data breach and the spam messages.

"Because similar e-mails have been circulating for some time, it is hard to say if this is an example of a coordinated scam designed to leverage the security breach made public [Wednesday], or simply a coincidence (like getting a phishing e-mail asking you to reset your Bank of America online banking password two days after you opened an account there)," Cameron Camp, a security researcher at Eset, wrote in a company blog.

The bogus LinkedIn message, crafted to look like a genuine communication from the site, asks the recipient to confirm his or her e-mail address and contains a link for doing so. Clicking the link spirits the target to an illegal online pharmacy selling Viagra and other medications.

The campaign couldn't come at a worse time for LinkedIn, which has been using e-mail to communicate with its members affected by the massive breach of its systems.

Aware that clicking on links in e-mails is a bad security practice, LinkedIn is using a two-step process. Users affected by the breach first receive an e-mail without any links in it. It informs the member that they must reset their password and provides them with steps for doing so.

After completing those steps and requesting password assistance, the member will receive a second e-mail with a password reset link.

"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," LinkedIn’s director, Vicente Silveira, wrote in a company blog.

LinkedIn was criticized when the breach was revealed for not "salting" the password hashes of its members. Hashing a password encrypts it so that it’s unintelligible to the naked eye. But hashing schemes yield the same hash for the same password. So for all sites using an encryption scheme like SHA-1, a password like linkedin123 would have the same hash across all the sites. That makes the hashes easy to crack with the right reference tools.

Salting the hashes adds random characters to the hash. That makes each hash unique and much tougher to crack.

LinkedIn wasn't the only website targeted by hackers this week. Online dating site eHarmony was also penetrated and 1.5 million password hashes were posted to the Web.

Hackers typically post hashes they're having difficulty cracking to the Internet to get help from their colleagues in deciphering the passwords.

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place