FAQ: LinkedIn breach: What members (and others) need to know

Tackling user questions on what's known so far on what happened to stolen LinkedIn data, and what can be done about it

Hackers have apparently accessed close to 6.5 million hashed passwords from a LinkedIn database and posted them and data associated with them online. So far, researchers say, about 60% of the unique passwords in the dump have been cracked and there are signs that the rest will soon be as well.

Here's some information for LinkedIn users specifically, and all Internet users in general.

What happened? Surprisingly, it's not clear yet exactly what happened.

Earlier this week, a 118MB file containing 6,458,020 hashed password was posted on a Russian hacker forum. The posters said they needed help in cracking the passwords.

Security analysts who inspected the data dump noticed that many of the passwords appeared to be associated with LinkedIn member accounts, which led to the conclusion that all the passwords belonged to members of the social networking site for business professionals. It remains unknown is how the data was obtained, how long the hackers may have had access to it, and what other data might have been accessed.

How has LinkedIn responded publicly to the reports? The company has said precious little so far. Apart from a brief blog post confirming that "some" member passwords were compromised, the company has said nothing about the nature or scope of the compromise.

The company says it is investigating the incident.

Did the hackers obtain email addresses associated with the passwords? That remains unclear as well. To this point, only the passwords have surfaced online. But security analysts believe it's likely the hackers have accessed email addresses and other account data as well.

If User IDs were not obtained what's the big deal? If so, that would diminish the seriousness of the compromise. Typically however, password data is stored along with other account details. So if someone had access to the passwords, they very likely had access to other account information as well. The fact that the data has not surfaced could mean that either the hackers don't have it, or they simply haven't released it.

What does it mean to me? If you're a LinkedIn user, it's a good idea to change your password, especially if you use the same password to access other online accounts. Make sure to use a STRONG password.

If your password was compromised, you will not be able to use it to log into your LinkedIn account. LinkedIn has said that it is contacting users whose password has been compromised with instructions on how to reset their password. The company has made clear that the email with instructions on how to reset the password will NOT contain any links. If you have not received an email yet, or if you are still able to access your account using your old password, it means that either your password was not compromised, or that LinkedIn doesn't it yet.

What measures had LinkedIn taken to protect member passwords? Embarrassingly little, or so it appears so far, researchers say.

The breached passwords were all masked using a basic hashing algorithm known as SHA-1. Though SHA-1 offers a degree of protection against password cracking attempts, the protocol is by no means foolproof. Numerous password cracking tools tools and tables that contain pre-computed hashes for billions of passwords are easily available. Almost anyone can use these tables to decrypt almost any SHA-1 hash and recover it in plain text in in a matter of minutes. That explains why nearly all of the hashed passwords have been cracked already.

How could LinkedIn have done to protect the passwords better? Security experts say the company should have used a method known as "salting" to make its hashed passwords a lot harder to crack. In the salting process, a string of totally random characters is appended to a plaintext password before it is hashed. A salted hash is considered to be magnitudes times harder to crack than a regular SHA-1 hash. Salting is considered today to be an almost basic security practice for protecting passwords.

How can users be sure that more data was not accessed? That information must come from LinkedIn. It's possible that only password data was stolen. It's equally possible that the intruders gained access to email addresses as well.

Similarly, it's possible that a lot more than 6.5 million passwords were compromised. LinkedIn has over 100 million members. It's possible that the hackers released the 6.5 million passwords to show they have the goods to anyone interested in purchasing the purloined data from them. LinkedIn can be a goldmine for identity thieves and phishers.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts