6.46 million LinkedIn passwords leaked online
Summary: More than 6.4 million LinkedIn passwords have leaked to the Web after an apparent hack. Though some login details are encrypted, all users are advised to change their passwords.
A user on a Russian forum has claimed to have downloaded 6.46 million user hashed passwords from LinkedIn.
It looks as though some of the weaker passwords --- around 300,000 of them --- may have been cracked already. Other users have been seen reaching out to fellow hackers in an apparent bid to seek help in cracking the encryption.
Finnish security firm CERT-FI is warning that the hackers may have access to user email addresses also, though they appear encrypted and unreadable.
One ZDNet reader said they had searched the cache and and found their their password. It has been reported that the passwords were encrypted using the SHA-1 algorithm --- which has been known for its flaws --- but unless a password is weak, it may take a while to decrypt the remaining cache.
LinkedIn has more than 150 million users worldwide. This apparent hack appears to affect less than 5 percent of its user base. It's not clear if any more users are affected outside this figure, but today's events will strike a damaging blow to the 'professional' social network's reputation.
It is advised users change their passwords as a precautionary measure. Having said that, some readers are reporting that the password reset feature is being "overwhelmed" by visitors; naturally, considering the circumstances.
Update 1: LinkedIn said it was "looking into reports of stolen passwords."
Update 2: LinkedIn said it "continues to investigate" but is "unable to confirm that any security breach has occurred."
Update 3: LinkedIn confirmed it has suffered a breach leading to a leaked cache of user account details, but did not explain how the data was accessed. The company has disabled affected accounts and emailed account holders with details of how to reset their password. CNET's Elinor Mills has more.
Related:
- Hackers target Twitter spammers in massive account data breach
- Anonymous leaks Symantec's Norton anti-virus source code
- Facebook applications leak users' personal data to third parties
- Anonymous leaks 90,000+ emails from compromised military contractor
- Global Payments: Data breach is contained
- Sorry, Dropbox, I still don't trust you
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Way to go. Got no notice from them at all.
need to check site to get notice
Something of this magnitude should have its own email notice.
Was it an update from Linkedin you saw?
I agree
The only word from the company so far is via Twitter.
Email AND mandatory change at log in...
Root cause
For now I'd change password across sites that you reused the password on, then give linked in a unique special password that's not reused anywhere.
Strange functionality
However, the old one still works on my iPad app :(
SHA-1 Decrypt Speed Incorrect
Based on [this](http://www.golubev.com/hashgpu.htm) that is incorrect:
> 2300M/s SHA1 hashes
That's 2,300,000,000 passwords per second. That highly suggests that given a small [sum of money](http://codahale.com/how-to-safely-store-a-password/) you could decrypt all of them in a very short period of time.
73% of people use the same password for everything...
Yep
A lot of people don't make the connection, but seperate email passwords are as critical as financial account passwords. If they get into your email they can often change your password to everything.
6-character passwords....
Linkedin uses Open Source Apache Traffic Server and other components
Damn
I'd change the password on any site you reused the password on to something else. I generally keep bank, email (since you can passwd reset), shopping, etc categories of sites use different passwords. It prevents elevation from social networking site or forum creds to bank creds.
I canceled my LinkedIn A few moths ago
No notice, but changed password.
Original hash file
http://filevelocity.com/ixhk76jz07m5/SHA1.txt_1.rar
linkedin passwords leaked
Needs a Little "Salt" and/or "Pepper"
Bad Grammar
My pet peeve in professionally written news stories is bad grammar. For example, the 4th paragraph starts with this sentence: "One ZDNet reader said they had searched the cache and and found their their password."
"Reader" is a single subject but you used plural pronouns "they" and "their" in the sentence. Such an error shouts "Error" and usually overshadows whatever the author is trying to say. (I have assumed the ???and and??? and "their their" were typos - a subject for a different rant.) You are a professional. Please. Please. Please, maintain case consistency.
Thank you...
"Happy" Jack
OMG.
See h-t-t-p : // www.albion.com/netiquette/corerules.html, Rule 10