Three companies have warned users in the last 24 hours that their customers' passwords appear to be floating around on the Internet, including on a Russian forum where hackers boasted about cracking them. I suspect more companies will follow suit.
Curious about what this all means to you? Read on.
What exactly happened? Earlier this week a file containing what looked like 6.5 million passwords and another with 1.5 million passwords was discovered on a Russian hacker forum on InsidePro.com, which offers password-cracking tools. Someone using the handle "dwdm" had posted the original list and asked others to help crack the passwords, according to a screenshot of the forum thread, which has since been taken offline. The passwords were not in plain text, but were obscured with a technique called "hashing." Strings in the passwords included references to LinkedIn and eHarmony, so security experts suspected that they were from those sites even before the companies confirmed yesterday that their users' passwords had been leaked. Today, Last.fm (which is owned by CBS, parent company of CNET) also announced that passwords used on its site were among those leaked.
What went wrong? The affected companies have not provided information about how their users' passwords got in the hands of malicious hackers. Only LinkedIn has so far provided any details on the method it used for protecting the passwords. LinkedIn says the passwords on its site were obscured using the SHA-1 hashing algorithm.
If the passwords were hashed, why aren't they secure? Security experts say LinkedIn's password hashes should have also been "salted," using terminology that sounds more like we're talking about Southern cooking than cryptographic techniques. Hashed passwords that aren't salted can still be cracked using automated brute force tools that convert plain-text passwords into hashes and then check if the hash appears anywhere in the password file. So, for common passwords, such as "12345" or "password," the hacker needs only to crack the code once to unlock the password for all of the accounts that use that same password. Salting adds another layer of protection by including a string of random characters to the passwords before they are hashed, so that each one has a unique hash. This means that a hacker will have to try to crack every user's password individually instead, even if there are a lot of duplicate passwords. This increases the amount of time and effort to crack the passwords.
The LinkedIn passwords had been hashed, but not salted, the company says. Because of the password leak, the company is now salting all the information that is in the database that stores passwords, according to a LinkedIn blog post from this afternoon that also says they have warned more users and contacted police about the breach. Last.fm and eHarmony, meanwhile, have not disclosed whether they hashed or salted the passwords used on their sites.
Why don't companies storing customer data use these standard cryptographic techniques? That's a good question. I asked Paul Kocher, president and chief scientist at Cryptography Research, whether there was an economic or other disincentive and he said: "There is no cost. It would take maybe 10 minutes of engineering time, if that." And he speculated that the engineer that did the implementation just "wasn't familiar with how most people do it." I asked LinkedIn why they didn't salt the passwords before and was referred to these two blog posts: here and here, which don't answer the question.
In addition to inadequate cryptography, security experts say the companies should have fortified their networks better so hackers couldn't get in. The companies haven't disclosed how the passwords were compromised, but given the large number of accounts involved, it's likely someone broke into their servers, maybe by exploiting a vulnerability, and snatched the data as opposed to it being due to some successful, large-scale phishing attack.
Was my user name stolen too? Just because the user names associated with the passwords weren't posted to the hacker forum doesn't mean they weren't stolen too. In fact, account data such as user names and passwords are typically stored together, so it's highly likely the hackers know everything they need to log into the affected accounts. LinkedIn won't say whether user names were exposed, but says that e-mail addresses and passwords are used to log into accounts and that no e-mail log-ins associated with the passwords have been published, that they know of. Also, the company says it has not received any "verified reports" of unauthorized access to any member's account as a result of the breach.
What should I do? LinkedIn and eHarmony said they have disabled the passwords on affected accounts and will follow up with an e-mail that includes instructions for resetting the passwords. The LinkedIn e-mail will not include a link directly to the site, so users will have to access the site via a new browser window, the company said. This is because phishing e-mails often use links in e-mails. Phishing scammers are already exploiting consumer fears about the password breach and sending links to malicious sites in e-mails that look like they come from LinkedIn. Last.fm urged all of its users to log into the site and change their passwords on the settings page, and said it, too, will never send an e-mail with a direct link to update settings or ask for passwords. Personally, I would recommend changing your password if you use any of the sites that have issued warnings just in case. Just because your password isn't on the leaked lists doesn't mean it wasn't stolen, and security experts suspect that the lists aren't complete.
So, you've changed your password on the sites, don't relax just yet. If you recycled that password and used it on other accounts, you need to change it there too. Hackers know that people re-use passwords on multiple sites out of convenience. So when they know one password, they can easily check to see if you used it on another more critical site, such as a bank Web site. If your password is remotely similar on the other site, you should change it. It's not that hard to figure out that if you used "123Linkedin" you might also use "123Paypal." And if you are curious as to whether your password was compromised, LastPass, a password manager provider, has created a site where you can type in your password and see if it was on the leaked password lists.
I could write a very long story about choosing strong passwords (actually, I already have), but some basic tips are to choose a long one, say six characters at a minimum; avoid dictionary words and opt for a mix of lower-and upper-case letters, symbols and numbers; and change passwords every couple of months. If you wisely choose strong ones you probably won't be able to remember them all, so here are suggestions for tools that help you manage passwords. (My colleague Donna Tam also has recommendations from experts in this article.)
How do I know if a Web site is protecting my password in the event of a breach? "You don't," said Ashkan Soltani, a security and privacy researcher. Most Web sites don't disclose what their security practices are, opting instead to assure people that they take "reasonable steps" to protect user privacy, he said. There are no minimum security standards that general Web sites are required to follow like there are for banks and other financial sites that handle cardholder information for the major credit card companies. Many Web sites that accept payments outsource the processing of the transactions to other firms that are then subject to the Payment Card Industry Data Security Standard (PCI DSS). Outside of the PCI certification, there is no reliable seal-of-approval for security in particular that people can look at to decide whether to trust a Web site or not. Maybe if there are enough data breaches at these big Web sites that people use every day, people will start demanding that the companies boost their security measures and lawmakers will call for security standards. Maybe.
I have a premium membership. Should I be worried? LinkedIn spokeswoman O'Harra told CNET that "to the best of our knowledge, no other personal information beyond the list of passwords was compromised." It's unclear what the situation is at eHarmony and Last.fm, which also offer paid subscriptions. Representatives at those sites have not yet responded to questions. Security firm AVG has a good tip for protecting credit card data when using Web-based sites that might fall prey to hacking. "If you subscribe to online services, such as LinkedIn's or another site's premium services, put aside a credit card just for online purchases so that once it's compromised, you can alert just the one credit card company of the breach," writes AVG security evangelist Tony Anscombe in a blog post. "Do not use an ATM card for such purchases as you may lose access to cash anywhere from a few hours to a few days."
Besides my password, what other information in my account is sensitive? Hackers may have already used the compromised passwords to access at least some of the accounts. Once in, a hacker could pose as the account holder and send messages to others on the site, as well as find out your e-mail and other contact information if you provided it in your profile, along with names of your contacts and contents of messages sent between you and others that might contain sensitive information. There is a plethora of information there that can be used to target you with social engineering attacks, and even fodder that could be helpful for conducting corporate espionage because of the professional focus of the LinkedIn social-networking site.