WTF! LINKEDIN CONFIRMS OVER 6 MILLION ACCOUNT PASSWORDS STOLEN!

Hackers have stolen and posted almost 6.5 million passwords from professional networking site LinkedIn, the site confirmed today.

A user in a Russian forum claims to have hacked his way into 6,458,020 passwords, tech website The Verge reports.

The stolen passwords were then posted online. The list contains passwords, but excludes usernames. It is unclear if usernames were also downloaded, the site reports.

LinkedIn confirmed the password theft on their blog.

“We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts,” wrote LinkedIn Director Vincente Silveira.

The site has disabled all leaked passwords and sent affected users an email detailing the leak and how to reset a disabled password, Silveira.

The passwords were able to be cracked because, though they were encrypted with a process called hashing, they were not "salted," reported The Verge.

Hashing, the encryption method used by LinkedIn,is a common method of encrypting passwwords. The password itself is encoded into a random alphanumeric sequence that is hard to crack. As the anonymous hacker who uncovered the passwords showed today, it’s not impossible. That’s why websites will often “salt and hash” passwords, something LinkedIn started doing only after today’s incident.

Salting is a more secure way of encrypting passwords by merging the already encrypted password with another combination and hashing it again, The Verge reported.

"It would seem sensible to suggest to all LinkedIn users that they change their passwords as soon as possible as a precautionary step," Graham Cluely wrote on the Naked Security blog on the Sophos Security website.

"If you were using the same passwords on other websites - make sure to change them too," Cluley wrote, "and never again use the same password on multiple websites."

The revelation of the hacked passwords ironically comes on the same day as a post on the LinkedIn Blog stating the company is working harder to secure mobile calendar data after research "pointed out that some people might be uncomfortable" with how their data was handled in the mobile application.

That improved security was live in the Android store and submitted to Apple for approval this morning, according to the post.

A second email will be sent with “a bit more context” on the leak as well.

Silveira also noted that the site has starting “hashing and salting” passwords for further security to prevent breaches like this in the future.

LinkedIn has over 161 million members, says the site.

“We sincerely apologize for the inconvenience this has caused our members,” wrote Silveira, “we take the security of our members very seriously.”





SOURCE