LinkedIn said today that some passwords on a list of allegedly stolen hashed passwords belong to its members, but did not say how its site was compromised.
"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts," Vicente Silveira, a director at the professional social-networking site, wrote in a blog post. It is unknown how many passwords have been verified by LinkedIn.
LinkedIn has disabled the passwords on those accounts, it said. Account holders will receive an e-mail from LinkedIn with instructions for resetting their passwords. The e-mails will not include any links. Phishing attacks often rely on links in e-mails that lead to fake sites designed to trick people into providing information, so the company says it will not send links in e-mails.
Affected account holders will then receive a second e-mail from LinkedIn customer support explaining why they need to change their passwords.
Earlier this morning, LinkedIn had said it found no evidence of a data breach, despite the fact that LinkedIn users were reporting that their passwords were on the list.
Later in the day, eHarmony confirmed that some of its users' passwords had also been compromised, but did not say how many.
LinkedIn encrypted the passwords using the SHA-1 algorithm, but did not use proper obscuring techniques that would have made the password cracking more difficult, said Paul Kocher, president and chief scientist of Cryptography Research. The passwords were obscured using a cryptographic hash function, but the hashes were not unique to each password, a procedure called "salting," he said. So if a hacker finds a match for a guessed password, the hash used there will be the same for other accounts that use that same password.
There were two things LinkedIn failed at, Kocher said:
They did not hash the passwords in a way that somebody would need to repeat their search for each account and they did not segregate and manage the (user) data in a way that they would not get compromised. The only thing worse they could have done would be to put straight passwords in a file, but they came pretty close to that by failing to salt.
Security and crypto expert Dan Kaminsky tweeted that "salting would have added around 22.5 bits of complexity to cracking the #linkedin password dataset."
The password list that was uploaded to a Russian hacker server (which has been removed from the site now) has nearly 6.5 million items, but it's not clear how many of the passwords were cracked. Many of them have five zeros in front of the hash; Kocher said he suspects those are ones that were cracked. "This suggests that this may be a file stolen from a hacker who had already done some work on cracking the hashes," he said.
And just because an account holder's password is on the list and appears to have been cracked, doesn't mean the hackers actually logged into the account, although Kocher said it's highly likely that the hackers had access to the user names too.
Ashkan Soltani, a privacy and security researcher, said he suspects that the passwords could be old because he found one that was unique to him that he had used on a different service years ago. "It could be an amalgamation of password lists that someone is trying to break," he said. A hacker using the handle "dwdm" posted one list of passwords to the InsidePro hacker site and asked for help in cracking it, according to a screen capture Soltani saved. "They were crowd sourcing the password cracking," he said.
Not only are LinkedIn users at risk of having their accounts hijacked by hackers, other scammers are already exploiting the situation. During a 15-minute phone call this morning, Kocher said he had received several spam phishing e-mails purporting to be from LinkedIn and asking him to verify his password by clicking on a link.
And if people use the LinkedIn password as their password for other accounts, or a similar format to the password, those accounts are now at risk. Here are some tips on choosing strong passwords and what to do if your password may be among those on the LinkedIn list.
LinkedIn's Silveira said LinkedIn is investigating the password compromise and taking steps to increase the security of the site. "It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," he wrote.
"We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously," Silveira added. "If you haven't read it already, it is worth checking out my earlier blog post today about updating your password and other account security best practices."
It's been a rough day for LinkedIn. In addition to the password leak, researchers also have discovered that LinkedIn's mobile app is transmitting data from calendar entries, including passwords and meeting notes, and transmitting it back to the company's servers without their knowledge. After that news came out, LinkedIn said in a blog post today that it will stop sending meeting notes data from calendars. In addition, LinkedIn says the calendar sync feature is opt-in and can be disabled, LinkedIn doesn't store any of the calendar data on its servers and it encrypts the data in transit.
Updated at 7:18 p.m. with comment from Ashkan Soltani, 6:14 p.m. PT with eHarmony confirming passwords compromised, 3:06 p.m. PT with information on controversy over privacy issue with LinkedIn's mobile app and1:45 p.m. PT with background, more details, expert comment.