The scope of the massive leaked password files that seemed limited to users of social network LinkedIn widened late Wednesday when dating site eHarmony announced it was invalidating some user passwords.
If email addresses weren’t stored in hashed format, [hackers] could very well have them and we could have an even bigger problem on our hands.
Graham Cluley, senior technology consultant, Sophos
“After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected,” eHarmony said in a statement about the compromised passwords posted to its blog.
Members of the dating site will receive an email with instructions on how to reset their passwords, the company said.
Security pros at a variety of social networks are scrambling to determine if their systems were breached following a massive password dump file that was posted to a Russian hacking site on Tuesday. The file contained no usernames or other identifying data. The passwords were weakly hashed, lacking a salting schema to deter cybercriminals from cracking them. The file appeared to contain passwords from LinkedIn, but a second, smaller file contained about 1.5 million hashed passwords belonging to users of eHarmony. Experts say it’s common for people to use the same password for multiple accounts, further complicating how the hacker obtained the passwords.
The eHarmony announcement included additional information about the company’s security. In addition to password hashing, the company uses data encryption. The announcement also listed other common measures to minimally safeguard information such as firewalls and SSL.
Graham Cluley, a senior technology consultant at Sophos, said few details are available to determine how the passwords were stolen. The hacker could have breached the systems of a social network, conducted brute-force attacks or a phishing campaign. Security experts said the board where the leaked password files were posted is closely monitored by authorities because it’s not uncommon for cybercriminals to post smaller hashed password files to the Russian site to get other black hats to crack the hashes.
“It appears the passwords were posted to help in cracking and reversing them,” Cluley said in an interview with SearchSecurity.com. “If email addresses weren’t stored in hashed format, they could very well have them and we could have an even bigger problem on our hands.”
Any website that accepts user credentials should have protections in place to protect their customers, Cluley said. Password hashing and salting simply adds a string of data to passwords making them more difficult to crack. Updating systems to support the protection is not difficult, Cluley said.
“This is something that all websites that are storing passwords and other critical information should have adopted long ago,” Cluley said. “There’s been a number of examples over the years of serious incidents. “I guess protecting their customer information simply wasn’t a priority in this case.”