The social networking site LinkedIn has admitted this morning that some of its members passwords have been “compromised” after Russian hackers yesterday claimed to have breached the network’s security systems, posting more than 6 million encrypted passwords on to the web for other hackers to decipher.
With more than 150 million professional business users worldwide, LinkedIn is an obvious target for fraudsters who may be able to use some of the information contained on the social networking and career contact website to try to break into bank accounts. So far, it is believed that more than a quarter of a million passwords have been deciphered.
LinkedIn says that the hacked passwords will, however, no longer be valid and that its members will today receive emailed instructions on how to reset them, with no links in these communications, and a second email about why the reset is necessary will follow.
Vicente Silveira, a director at LinkedIn, apologised for the inconvenience caused to its users and said in his blog posting statement on the website that “we take the security of our members very seriously”.
The hack attack follows on from earlier privacy concerns at LinkedIn after the site was forced to update its mobile application after security researchers exposed a flaw whereby unencrypted calendar entries were being sent to LinkedIn servers without its members being made aware of this, potentially revealing conference dial in codes and other company information.
According to Steve Watts, a security expert with the vendor, SecurEnvoy, “In the business-to-business (B2B) space it’s worth the investment to use two factor authentication which relies on more than just passwords, using something you have with something you know. But for the business-to-consumer (B2C) and consumer-to-consumer (C2C) arena it is also a worrying time because most people use the same credentials from one site to another. How long before your Amazon account, BT online or other accounts are compromised by replaying the same passwords?”
The hack has brought to light once again the importance of properly storing customer details, says Stuart Coulson, a cyber security practitioner and director of data centres at cloud provider, UKFast. The database of passwords was encrypted using outdated SHA-1 encryption and was not “salted” (where a random string of numbers is added to the encryption to increase the safety of the stored information). “We see stories like this again and again,” added Coulson. Big sites who we trust with our data are not correctly storing it to protect us from this threat.”
The forensic team at UKFast says it cracked 2,000 of the passwords in just 10 minutes using only a standard computer's processing unit. With added power from a graphics card (GPU), this would be greatly speeded up.