Social network LinkedIn is investigating reports by several security firms that it has suffered a massive password security breach potentially affecting more than 6 million users.
What we do know is that there have been several people in the security community that have verified that their LinkedIn password hash was in that password dump.
Marcus Carey, security researcher at Rapid7.
“Our team continues to investigate, but at this time, we're still unable to confirm that any security breach has occurred,” said Erin O'Harra, a public relations associate at LinkedIn in response to a request for information.
Passwords purportedly stolen from an attack on LinkedIn, were posted to Russian hackers forum on Tuesday. The post contained a massive file containing 6.4 million passwords. The file did not contain usernames. LinkedIn claims to have 161 million members globally.
It appears that the passwords were hashed via SHA-1, a weak algorithm used typically only to verify the integrity of a file, said Marcus Carey, security researcher at Rapid7. Best practices dictate that password hashing be accompanied with a random salt schema to further obfuscate the contents of the password string.
“What we do know is that there have been several people in the security community that have verified that their LinkedIn password hash was in that password dump,” Carey said in an interview with SearchSecurity.com “All indications point to a massive website breach.”
Rapid7's Carey and researchers at several other security firms are warning LinkedIn account holders to change their LinkedIn password to be safe. Carey said it is very likely that LinkedIn may force all users to change their passwords, once investigators determine that the breach has been contained.
The password files posted to the Russian site remain publicly available. They contained a massive dump RAR file containing the passwords and a second smaller zip file containing approximately 160,000 passwords stolen in what could be a brute force attack, according to Rapid7’s Carey.
Patrik Runald, director of security research at Websense Inc. said user account databases should be protected with a firewall. Additional measures can be taken to protect the Web server and the Web applications used to access accounts from the website.
“There’s a lot that we don’t know at this point,” Runald said, cautioning not to jump to conclusions. “We don’t know if a breach was done through a public facing machine or done through some internal means.”
Attackers typically seek out website vulnerabilities and Web application flaws using automated tools. SQL injection, one of the most prevalent attacks could have been used to gain access to the password data.
LinkedIn to reset affected account passwords following initial investigation
LinkedIn provided an update Wednesday, confirming that “some of the passwords that were compromised correspond to LinkedIn accounts.” The social network did not state whether its systems were breached.
The company is invalidating passwords that were contained in the file and informing affected users via email with instructions on how to reset their passwords, said Vicente Silveira, principal product manager at LinkedIn in a blog post about the firm’s investigation. For security reasons there will not be any links contained in the LinkedIn message, Silveira wrote.
“These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.” Silveira wrote.
Silveira also said that the firm recently added salting to its hashed password databases.
Scope widens to include eHarmony dating website
Dating site eHarmony is joining LinkedIn in resetting account credentials following a password leak. "Mmembers will receive an email with instructions on how to reset their passwords," the company said.