I am sending out this message because it seems that all or almost all
passwords on Linkedin have been compromised. This is an on-going and
possibly unresolved situation, so even if you change passwords now, you may
have to change them again. The hackers may not have access to your email
identity, which is good.
In the meantime, please pay attention to further messages, and I would
suggest changing your Linkedin password at this time to a unique combination
of letters and words that you do not use elsewhere.
Enclosed is the Computerworld article:
Update: LinkedIn probing reports of massive breach
About 6.5 million hashed LinkedIn passwords said to be accessed and posted
online
Jaikumar Vijayan
June 6, 2012 (Computerworld) <http://www.computerworld.com>
Professional social networking service LinkedIn today said it is
investigating reports that hackers broke into its systems and accessed the
usernames and hashed passwords of the social network's 6.5 million members.
The data was said to be posted on an online Russian hacker forum.
In numerous Twitter messages
<https://twitter.com/LinkedIn/status/210356987576324096> , LinkedIn told its
members that it's investigating the breach reports, and that it can't yet
confirm that hacker had accessed the site.
One said: "Our team is currently looking into reports of stolen passwords.
Stay tuned for more."
One security researcher today said that he has downloaded a file from a
Russian hacker website containing more than 6.4 million hashed passwords.
Marcus Carey, a security researcher at Rapid7, said he also downloaded two
separate files containing more than 300,000 passwords collected by the
hackers. The hackers accessed the passwords by using simple password
cracking tools, Carey said.
Though it is not immediately possible to confirm if the hashed passwords
were in fact accessed from LinkedIn's servers, there are numerous anecdotal
reports that users have seen their LinkedIn password posted online, he said.
So far, he added, there is no evidence that emails associated with the
passwords have also been accessed, though that remains a possibility.
Carey noted that the hackers might still have access to the LinkedIn
servers.
According to him, a look at the data that was posted online suggests that
the hackers may have had access to the data for sometime.
Users of LinkedIn should immediately change their passwords to protect their
accounts, he said.
After reviewing the data posted online by the apparent hackers, Carey said,
"We don't know who is behind this but [they] definitely had access to the
LinkedIn database for at least the last week."
"I want to emphasize is that we don't know if the attackers still have
access to the LinkedIn system," he added.
According to Carey, a manual inspection of the leaked passwords show that
the site was protected by using the Secure Hashing Algorithm-1 (SHA-1)
format.
Because the protection offered by SHA-1 isn't foolproof, security experts
have for some time now recommended that organizations use a technique called
salted hashing to protect sensitive data, like passwords.
The fact that the passwords have been hashed using straight SHA-1 makes them
somewhat easy to crack using brute force methods, he said.
Many of the 300,000 or so passwords that have already been posted in clear
text online were cracked using a password cracking tool called John the
Ripper, Carey said.
Users should immediately change their passwords, and keep a close eye on
updates on the incident from LinkedIn, he said.
If it turns out that the hackers still have access to the database, LinkedIn
users may need to change their passwords again, he said.
"The silver lining here is that we know the attack took place, so users can
at least change their passwords," he said.
The real danger comes when such attacks aren't discovered until long after
they are launched. The fact that the attackers don't appear to have the
matching email addresses for the stolen passwords is also a good sign fro
LinkedIn members, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services
security and e-voting for Computerworld. Follow Jaikumar on Twitter at
@jaivijayan <http://twitter.com/jaivijayan> , or subscribe to Jaikumar's RSS
feed <http://www.computerworld.com/s/feed/keyword/Jaikumar+Vijayan> . His
e-mail address is jvijayan@computerworld.com.
Thank you,
John Rechenberg, PMP
158 Harcourt Avenue
Bergenfield, NJ 07621-1960
jar1@optonline.net
H: [201]387-9063
C: [201]694-3571
http://www.linkedin.com/in/johnrechenberg
Attachment(s) from John Rechenberg
1 of 1 File(s)
No comments:
Post a Comment