LinkedIn Confirms Security Breach, Users' Passwords Compromised
NEW YORK (CBSNewYork/AP) - If you're on LinkedIn, you may want to change your password.
The business social network said Wednesday that some of its users' passwords have been stolen and leaked onto the Internet.
LinkedIn Corp. did not say how many of the more than six million passwords that were distributed online corresponded to LinkedIn accounts. In a blog post Wednesday, the company said it was continuing to investigate.
Graham Cluley, a consultant with U.K. Web security company Sophos, recommended that LinkedIn users change their passwords immediately.
LinkedIn, dubbed the world's largest professional network," has a lot of information on its more than 160 million members, including potentially confidential information related to jobs being sought. Companies, recruiting services and others have accounts alongside individuals who post resumes and other professional information.
There's added concern that many people use the same password on multiple websites, so whoever stole the data could use the information to access Gmail, Amazon, PayPal and other accounts, Cluley said.
Before confirming the breach, LinkedIn issued security tips as a precautionary measure. The company said users should change passwords at least every few months and avoid using the same ones on multiple sites.
LinkedIn also had suggestions for making passwords stronger, including avoiding passwords that match words in a dictionary. One way is to think of a meaningful phrase or song and create a password using the first letter of each word.
Cluley said hackers are working together to break the encryption on the passwords.
"All that's been released so far is a list of passwords and we don't know if the people who released that list also have the related email addresses,'' he said. "But we have to assume they do. And with that combination, they can begin to commit crimes.''
It wasn't known who was behind such an attack.
LinkedIn Director Vicente Silveira added the following blog post:
We want to provide you with an update on this morning's reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
- Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
- These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.
- These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.
It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.
We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously. If you haven't read it already it is worth checking out my earlier blog post today about updating your password and other account security best practices.
While the passwords appear to be encrypted, security researcher Marcus Carey warned that users should not take solace from such security measures.
"If a website has been breached, it doesn't matter what encryption they're using because the attacker at that point controls a lot of the authentication,'' said Carey, who works at security-risk assessment firm Rapid7. "It's 'game over' once the site is compromised.''
Cluley warned that LinkedIn users should be careful about malicious email generated around the incident. The fear is that people, after hearing about the incident, would be tricked into clicking on links in those emails. Instead of getting to the real LinkedIn site to change a password, it would go to a scammer, who can then collect the information and use it for criminal activities.
Are you on LinkedIn? If so, do you plan on changing your password? Let us know below.
(TM and © Copyright 2012 CBS Radio Inc. and its relevant subsidiaries. CBS RADIO and EYE Logo TM and Copyright 2012 CBS Broadcasting Inc. Used under license. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.)
