6.5 million LinkedIn passwords reportedly stolen, posted online

If you haven't changed your LinkedIn password in the past few months, now would be a very good time to do so

Details are murky, but Norwegian computer site DagensIT.no reports that 6.5 million LinkedIn passwords were recently posted to a Russian hacker site. Quoting Norwegian consultant Per Thorsheim, the site says, "Those who posted [the passwords] wanted help to crack the codes. ... Unfortunately, they are in a format that makes it relatively easy to break them."

Thorsheim has been actively tweeting his discoveries, as has F-Secure's ace sleuth Mikko Hipponen. LinkedIn confirms via Twitter that it is looking into the reports.

It's important to realize that the reports state only the hashed passwords were posted. Email addresses (LinkedIn uses email addresses as log-on IDs) and other information were not posted.

The passwords were encrypted using an unsalted SHA-1 hashing algorithm. That means it's easy to verify if a particular password is on the list; just put your password through the SHA-1 algorithm, and check what comes out to see if the hashed password is one of the 6.5 million. But there's no known way to go from hashed password to the original -- it's a one-way encryption.

The implication, though, is that a big dictionary coupled with some inspired guessing can turn up many of the passwords.

While the ancillary details -- particularly email addresses -- aren't posted, there's no way to tell at this point if the password purloiners also have that information. That's likely to be the reason why they were seeking information on cracking the passwords.

Peter Kruse confirms on Twitter that he changed his LinkedIn password "7 or 8 months ago," and the hashed password on the list matched his old password. That's an indication -- but not proof-positive -- that the leaked list is many months old.

Now would be a very good time to change your LinkedIn password.

And if you reused that password on any other accounts -- especially financial accounts or email accounts -- you better get those changed, too.

This story, "6.5 million LinkedIn passwords reportedly stolen, posted online," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies