Millions of LinkedIn passwords reportedly leaked - take action NOW

Filed Under: Data loss, Featured, Privacy, Social networks

Although not yet confirmed by the business-networking website, it is being widely speculated that over six million passwords belonging to LinkedIn users have been compromised.

LinkedIn update on Twitter

A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the internet, and hackers are working together to crack them.

LinkedInAlthough the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals.

Investigations by Sophos researchers have confirmed that the file does contain, at least in part, LinkedIn passwords.

As such, it would seem sensible to suggest to all LinkedIn users that they change their passwords as soon as possible as a precautionary step. Of course, make sure that the password you use is unique (in other words, not used on any other websites), and hard to crack.

If you were using the same passwords on other websites - make sure to change them too. And never again use the same password on multiple websites.

How to change your LinkedIn password

    1. Log into LinkedIn.
    2. You should see your name in the top right hand corner of the webpage. Click on it, and you will open a drop-down menu. Choose "Settings".

LinkedIn

    3. Choose the option to change your password.

LinkedIn

    4. After entering your old password, you will have to enter your new (hopefully unique and hard-to-crack password) twice.

LinkedIn

Don't delay. Do it now. And if there are any more updates from LinkedIn we will let you know.

Update: LinkedIn has now confirmed that users' passwords have been exposed.

(By the way, if you use LinkedIn and want to keep up-to-date and discuss the latest security news - make sure to join the Naked Security LinkedIn group).

,

You might like

62 Responses to Millions of LinkedIn passwords reportedly leaked - take action NOW

  1. Roberts · 813 days ago

    Yup, and they have passwords on the list of already closed accounts, couple that with the fact that they have a ton of calendar stuff stored on some server and you're possibly looking at a monumental leak...

  2. Michael · 813 days ago

    Many sites are reporting this, but none have provided the links to the source. The LinkedIn blog hasn't mentioned it either. Change the passwords, but be wary of any emails appearing to be from LinkedIn, as this could be part of a scam.

    • Antman · 807 days ago

      I thought the same thing - tried searching and not one single news source, twitter source or discussion reveals the true source: the so called russian forum or russian hacker. Why such emphasis on the "russian' bit. "Oh no it was the russians!' Gimme a break.

      I ended up actually finding it on thepiratebay.se - just search for it (there are a few fakes but read the comments and you'll find the real one).

  3. darrellgrundy · 813 days ago

    Two questions that are in my mind are:

    1) How did they get this password data and has that weakness been fixed? A formal response from LinkedIn may be needed before we find out.

    2) For users who have long random passwords (say 10 chars+), is parallel computing or rainbow tables at an advanced enough state today to mean that the hacking community will likely crack the complex passwords that they've captured in addition to the easy ones?

    • Machin Shin · 813 days ago

      I remember reading a test done by a guy who wanted to see how fast a modern GPU could crack a password. He downloaded a free cracker and did a test against windows password hashes. In the end his rig with a single GPU could crack a 8 character complex password in a little under a month.

      Now you have to consider this was one computer with a single GPU that was not top of the line. It is possible in many computers now to run 2-5 GPUs in parallel. So even with 10+ characters do you really want to make a bet that someone will not be able to crack it?

  4. Lee · 813 days ago

    You are advocating the incorrect response to this. Everyone should do as I did and close their Linked-In account. Companies should be punished for incompetence, and the only way to punish a company that provides a free service is to not use their service anymore.

    • TMG · 813 days ago

      You will soon be closing every account you maintain as, eventually, every one of them will suffer a breach of some sort. Welcome to the age of cyber-warfare...

    • Cousin Barney · 813 days ago

      So...Cut off nose, spite face...?

    • Califragilistic · 812 days ago

      Agreed. i closed mine about 10 minutes ago. Fortunately, all my passwords on other sites are Mutually exclusive. It appears LinkedIn was very wreckless.

    • cesium62 · 812 days ago

      Absolutely correct. Any company that doesn't do at least the minimal standard software engineering practice of hashing and salt passwords is to incompetent to interact with.

      No, we won't be closing every account we maintain, TMG. This is criminal incompetence, not widespread, common incompetence. None of the companies I have worked at stored cleartext passwords. Standard operating procedure is that customer support cannot see your password. This is not some exotic technology that only security personnel know about.

      No, Barney, this is not cutting off your nose to spite your face. This is cutting off your nose because it is cancerous and going to kill you if you don't cut it off. Linked-in has proven that they are so incompetent that you cannot trust any of there software to do anything at all remotely resembling what it should do. You are in serious danger if you continue to use linked in.

  5. enquirer · 813 days ago

    whats your recommendation for remembering 300 unique passwords?

    • caroletheriault · 813 days ago

      You could consider using a reputable cloud-based password manager, such as LastPass, 1Password, KeePass, etc

      • gav · 813 days ago

        define 'reputable', is linked in not a 'reputable' web service already? ...... or is storing your passwords in one system an even worse idea?

      • sharkcmiller · 813 days ago

        and how do you assure they are indeed reputable? And before someone pipes up we're xyz certified, thats usually on a point in time assessment.

      • Dom · 813 days ago

        Yeah right, like I haven't learned any lessons from this. Make one password root for high security sites (like your online banking), another for low security sites (like online news subscriptions). Use this root PLUS additional characters unique to that site.

        For instance: root password = g00dy#$)

        mybank.com = g00dy#$)XYBk$$%

        mynews.com = g00dy#$)MyNews

        Use your imagination, and be sure to include CAPS and special characters like !@#$%^&*(()_

        You can use the mynews password for all your low security sites (where you don't care if someone hacks your password). It's best

        if your high security passwords are all different, but if you remember

        the scheme you used to create it, you can remember it.

        Then check your password to see how easy it is to hack it: DON'T put in your real password, but something similar.
        http://howsecureismypassword.net/

        This method works for me. If you're worried you'll forget it, write down part of it to help you remember. Also, make your security questions something not easily guessed, substituting special characters. For example: First Pet = boogie -> password = b00g!3

      • Jill Andy · 813 days ago

        and wait until they are hacked and someone gets all of your passwords at the same time?

      • Dino · 813 days ago

        And what happens when you "reputable" password manager gets compromised? Who controls the cloud?

      • Reader · 813 days ago

        A cloud-based password manager? I think this is even worst... If you do this and in the future there is a security breach in the cloud-based passwords firm, then the bad guys will have access to ALL your passwords at the same time.

        I think it´s better the use of local (in your PC) password managers (like KeePass) or the Master Password function of browsers like Firefox

        Personally, I will never put my life (e-mail, paypal, amazon, etc..) at third parties´ hands

        • Reader · 813 days ago

          Carole, I think you´re wrong.

          KeePass stores the passwords in your machine. LastPass stores them in a private server at some part of the world.

          They are completely different tools.

      • roy · 813 days ago

        Thanks for the references Carole....are there any guarantees those sites/services are more secure?

      • Bill R · 813 days ago

        1Password with Dropbox works nice

      • caner · 813 days ago

        Are you serious when you say "using a reputable cloud-based..."?

        • Yes, a properly designed cloud system works well. LastPass is one of them. Your passwords are always encrypted before they go to lastpass.com. And you can set up 2 factor authentication (I have a YubiKey) that requires a hardware token at any computer you have not authorized.

          LastPass (and other companies) are in the business of security. LinkedIn is in the business of social apps.

          Would you get an car engine repaired at the dollar store? ...because, you know, they sell $1 quarts of oil there...

      • Rich · 813 days ago

        so they only have to hack one site to get all my passwords?

      • PatrickO · 813 days ago

        KeePass is good. I use it.

      • Richard Morrell · 813 days ago

        Really thats the most stupid piece of advice I've seen all day - congratulations just move the problem around

      • jets · 813 days ago

        and when they get hacked in the cloud...

      • Yellow note boy · 812 days ago

        Yellow sticky notes on computer screen - only you and the janitor know.

    • davidkevans · 813 days ago

      I recommend having partially unique passwords, using a combination of a key word or phrase you will easily remember (but kept to yourself) and a second part that varies with each service/website.

    • John Reynolds · 813 days ago

      Get an IronKey and store your passwords in a text file on that disk. You can also use two IronKeys -- One in a safe-deposit box and one in your pocket.

    • Nigel · 813 days ago

      I use KeePassX, which is a port of the Windows KeePass app to Mac OS X. It is NOT a cloud-based password manager, which is all to the good as far as I'm concerned. This LinkedIn fiasco is just another example of the downside associated with entrusting your security to others.

    • You should start with a base password of 8 characters, for instance, cv78df34. if you look closely you will see those are 4 keyboard pairs, meaning each 2 characters are next to each other.

      Now make some leter caps: cV78Df34.

      Change numbers to special characters: cV&8Df#4 .

      Now add 4 extra characters that change per site. For Linkedin you could add the letters link or edin in the middle, you would endup with this: cV&8edinDf#4 or do something like this cVe&8dDfi#4n

      For each website you would be having a different 12 char password, for which you only have to remember 8 characters, which are just 4 keyboard pairs you need to remember.

      It takes a bit of effort to start with but it's easier to learn than it seems, it helps if you don't check the stay logged in boxes on login pages for a while, so you are forced to login to your websites everyday and have to remember your password.

      Now think of your own unique password system

      • UrVAITGuy · 813 days ago

        Jinx! Looks like you and I posted our own solutions (which are pretty similar) at the exact time (down to the minute). Kudos. Great minds think alike. :-)

  6. Drew · 813 days ago

    I think this is actually a gorilla marketing tactic created by linkedIn to get people to log back into and use their system. I bet they get slammed with record breaking traffic this week. Worked on me. I haven't been in there in over a year..... Probably wont for another year.

  7. This is actually an amazing gorilla marketing tactic created by linkedIN to get people to log back into and use their system. They will get slammed with record breaking traffic. Worked on me. I haven't been in there in over a year..... Probably wont for another year.
    Think about it. Fear is a awesome motivator for viral marketing. Unconfirmed and still encrypted. Unscramble a possible hashed file. Time is ticking.. OMG... Genius! they couldn't buy this kind of publicity. They deserve a marketing award.

    • Still encrypted? Possible file? A real leak has been confirmed and Sophos say that 60% of the (unsalted) hashes have already been cracked. Check the related articles box on this page for the article.

  8. Brad · 813 days ago

    Fantastic. I go to change my password, hit the 'Change password' button, and it just pops up a spinner that doesn't go away.

  9. Roy · 813 days ago

    What does "SHA-1 unsalted password hashes" mean exactly?

    To Lee's comment, I agree we should punish incompetence by taking our business elsewhere.

    Who would you recommend as an alternative to LinkedIn?

    Also, a shame that many of us feel compelled to "particpate" in so many privacy-compromising venues, namely social media, to succeed in this ever-changing economy.

    Thank you.

  10. Insano · 813 days ago

    Okay, so let's get this right. LinkedIn has yet to confirm a breach. The posted list contains only about 25% of the hashed passwords for their user base (without associated email addresses, or identifiers). It *could* be a hoax (just because a list contains hashes of linkedin, or indeed linkedinsucks does not mean it's from that source). The site may be also be breached and still accessible to the attacker(s). And the advice is to *immediately* change your password? Er, why? If it is a hoax, that would be a redundant exercise. If it isn't, then the attacker may be using blind panic to scoop up your newly entered credentials. If your hash is not on the list (which is available online as are instructions as to how to check locally) then again changing your credentials is somewhat redundant. It seems to me that a more sensible response would be to change any password instances associated with other sites which may be using the same as any that are in use with LinkedIn (although sharing credentials is a slight faux pas) and wait to see if this is a real breach prior to freaking out. A speculation is not proof, and I would argue that as a "senior technology consultant" there is a responsibility to assess the full threat landscape, rather than spreading FUD like manure.

  11. None · 813 days ago

    A carefully worded apparent confirmation by LinkedIn: http://blog.linkedin.com/2012/06/06/linkedin-memb...

  12. UrVAITGuy · 813 days ago

    Perhaps I may suggest an easy way to remember multiple passwords without using a password manager. First come up with a single, very complex password (no dictionary words, no 733T speak, etc). For example:

    Nbi92#(utgq;

    That's 12 characters long, fairly decent length and no patterns. Tough, but its the only one you're memorizing. Now pick a letter in the password (for this example, lets make it the "q" near the end). For every website you visit, change that letter to the first letter of that website. So for example, if you visited yahoo.com, your password for it would be: Nbi92#(utgy;. In this manner it's very easy to memorize one brute-force impossible password (this would take 3054894 centuries to crack based on the passfault.com website), and have it differ for every website you visit.

    Ta da. :-)

    • Guest · 812 days ago

      Thanks! I'll remember that!
      I also work with people about creating passwords and will pass this on.
      Great idea!
      The downside is that if someone happens to get into your password and are familiar with such a strategy it suddenly narrows down the list of possibilities considerably.
      (Of course the strategy for choosing which letter or when, etc. needn't be what you have suggested.)

      • UrVAITGuy · 812 days ago

        You're welcome. :-)

        And like you said, no one has to know what letter (or number) you're changing. And of course you could capitalize it, or even go a step further and make it the previous letter in the alphabet (e.g. Yahoo's y instead becomes an x since x precedes y).

    • Martha · 764 days ago

      I am a retired pharmacist and I always use generic drug names.

  13. Mark Tomlinson · 813 days ago

    Keep in mind...if your LinkedIn password was the same as any other passwords you have to update and change all those also. And in the future don't be stupid about using the same password on multiple sites.

    • Anon · 812 days ago

      Sorry password re-use will always happen in some limited form as the human brain can only retain so many of them when we have hundreds of sites.

      The way i see it using a password manager is no different to commiting the other cardinal sin of writing down your passwords. (or worse using these cloud based services that are just dying to be hacked by the criminals)

      Personally I use about 6 unique passwords and of those two of them are used for insecure things like forums and blogs you don't really care about. Sensitive data like online banking, email, social networking accounts, all have their own passwords.

      Works for me.

    • Scott · 812 days ago

      Theoretically, a great idea except that I am already supposed to remember over 100 unique passwords and regularly change them.

      Industry needs to move beyond passwords....without becoming Big Brother.

    • Marcel · 812 days ago

      How would they know where to use this password and with what account name? The LinkedIN (linkedout) problem now is bad, but dont make it more then it actually is.

  14. Kramer · 813 days ago

    The hackers have both the logon ID's and passwords. I reported a phishing attempt using my valid LinkedIn ID and password to LinkedIn on June 2nd and received a reply that they knew that their systems had been compromised.

    • David Heath · 812 days ago

      @Kramer,

      can you tell us more about this? If true, LinkedIn would be in some deep dog-doo! The email you received from them would be quite delicious to see!

    • Owen · 803 days ago

      Hi Kramer, Would it be fair to ask you to post a screenshot of that email in question?

  15. I use 2-factor authentication on Gmail now. Every new machine I use to access my account requires I enter a one-time password sent to my by SMS. Authorised machines can use the account for 30 days before requiring another SMS. So my credentials are no longer enough to access this account at least.

  16. disclosure · 812 days ago

    Searchable DB is available at http://dazzlepod.com/linkedin/

  17. Peter · 812 days ago

    A major problem is the number of sites that want you to register for services. I have to admit I use a common password for everything that does not involve money (I include my main email account as a financial risk because it could be used to reset the others).

    My policy for financial sites is to use a word (faster to type), some funny characters (&D56£ for example) and something I don't need to write down like the four digit PIN of my first ever bank card. Hopefully that is good enough, and they are all different.

    In this case they have got my common password and I have changed it at Linkedin. I cannot even remember all the other places I have used it and I wish them the best of luck in accessing land registry data or best buy deals on any web sites they manage to get into using it. (Unless someone can think of a way I can be harmed by these sites.)

  18. Chris · 812 days ago

    Why use linkedin? Just get out of it.

  19. kevinH · 812 days ago

    I've changed my password via a browser, but I've been able to connect via the iPhone app without a prompt to change my credentials. Makes me wonder how their authentication is working across different platforms...

  20. winny · 812 days ago

    I checked my hash on tools available online, 2 said hacked & cracked the other said safe. Worryingly my profile was removed 4+ months ago! I searched the profile name which isnt there but links to contacts, family members etc are... Ex linkedin members might want to think about pswd security?

  21. Robin · 812 days ago

    I am NOT going to be typing my password into a tool like this to see if it was hacked. That would be the definition of gullible. Much easier to just change my password; however, I'm having trouble swallowing this story to start with.

  22. enquirer · 811 days ago

    I just downloaded the file according to instructions as mentioned in comments on the FT (of all places) although then comment seems to have disappeared.

    I ran the Python script (16ish lines simple python code calling standard python hash) and got a match of my password AND my surname.

    Of course the code only tests guesses so I cant (AND DONT WANT to) see anyone elses stuff

    So it seems the file probably contains both password and user names.

    Comments?

  23. John · 800 days ago

    This is not about passwords but about LinkedIn spamming, close but no cigar. I was spammed several times by LinkedIn (or so the e-mail said) to join up with many "friends" in the town where I live. Not only did I not know many of them but not one said he or she was the author of the request. Whether or not LinkedIn or someone else got all my data including my password will remain a mystery. I tried to eliminate myself from LinkedIn but that was easier said than done. There was no simple "get me out of here" switch provided by LinkedIn. I ended up deleting the data in each field and then struggled to delete my login name and password. Of course my personality and everything about me still exists somewhere in LinkedIn ready to be spammed to others. My personal advice is to just keep away from any and all "social networking" sites. Or do so with the knowledge that nothing you ever say or do on those sites is private. Am I getting paranoid? Probably, but not without good reason, having just been the victim of a 5 figure credit card fraud which was (hello, hello) just shy of my available credit limit. The downside is that I have children who have forgotten how to communicate except by Facebook. If I didn't have my basic read-only Facebook account I would never see pictures of my grandchild growing up.

  24. It's fantastic that you are getting thoughts from this article as well as from our argument made here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.