That hub of corporate social networking, LinkedIn is investigating claims that over 6 million of its users’ passwords were leaked onto the internet. Linkedin, which has over 150 million users, is designed to allow professionals to share resume details and network with one like minded corporates.
Hackers have reportedly posted a file containing encrypted passwords onto a Russian web forum. The company has confirmed the leak and says it is currently looking into the reports.
Linkedin Statement: We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts ::::
“We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation,” LinkedIn’s Vicente Silveira said in the blog post.
Mr Silveira said passwords on the compromised accounts were no longer valid, and that those members will receive instructions on how to reset their passwords.
“There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email,” he said.
For other members, LinkedIn has implemented “enhanced security” for password protection, he added.
Late last year, a security researcher warned that LinkedIn had flaws that make users’ accounts vulnerable to attack by hackers because of the way it manages cookies. Narang, who posted the security flaw on his blog, wtf.uzz, said that unlike other Web sites which cookies typically expire within 24 hours, LinkedIn’s “LEO_AUTH_TOKEN” has a validity of one year. This allows anyone who retrieves the specific file to access that particular user’s account, without the need for log-in credentials.
LinkedIn was co-founded by former PayPal executive Reid Hoffman in 2002 and makes money selling marketing services and subscriptions to companies and job seekers.
Graham Cluley of the British security firm Sophos said the hacker posting “does contain, at least in part, LinkedIn passwords”.
“Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals,” Mr Cluley said in a blog post.
As a result, Mr Cluley said, “it would seem sensible to suggest to all LinkedIn users that they change their passwords as soon as possible as a precautionary step”.
The breach is the latest in a bevy of high profile hacks targeting high profile tech companies and governments around the globe. With this latest hack, Sophos security experts stumbled upon some 6.4 million scrambled passwords earlier this week. The data was found on underground websites frequented by hackers, the data included only passwords, not corresponding email addresses or personal information.
Several security experts who examined the data believed that Linkedin had failed to use best-practices for securing the data. The experts said Linkedin used a vanilla – basic – technique for encrypting the now stolen data.