LinkedIn probing reports of massive breach

[OhauitiWeather]

Professional social networking service LinkedIn today said it is investigating reports that hackers broke into its systems and accessed the usernames and hashed passwords of 6.5 million members.
 
The data was said to be posted on an online Russian hacker forum.
 
In numerous Twitter messages, LinkedIn told its members that it's investigating the breach reports, and that it can't yet confirm that hacker had accessed the site.
 One said: "Our team is currently looking into reports of stolen passwords. Stay tuned for more."
 
One security researcher today said that he has downloaded a file from a Russian hacker website containing more than 6.4 million hashed passwords.
 
Marcus Carey, a security researcher at Rapid7, said he also downloaded two separate files containing more than 300,000 passwords collected by the hackers. The hackers accessed the passwords by using simple password cracking tools, Carey said.
 
Though it is not immediately possible to confirm if the hashed passwords were in fact accessed from LinkedIn's servers, there are numerous anecdotal reports that users have seen their LinkedIn password posted online, he said.
 
So far, he added, there is no evidence that emails associated with the passwords have also been accessed, though that remains a possibility.
 
Carey noted that the hackers might still have access to the LinkedIn servers.
 
According to him, a look at the data that was posted online suggests that the hackers may have had access to the data for sometime.
 
Users of LinkedIn should immediately change their passwords to protect their accounts, he said.


Published by Computerworld, written By Jaikumar Vijayan | Framingham | Thursday, 7 June, 2012
Link to article:  http://computerworld.co.nz/news.nsf/news/linkedin-probing-reports-of-massive-breach?opendocument&utm_source=security&utm_medium=email&utm_campaign=security

• Tweet

[OhauitiWeather]

6M LinkedIn Passwords Leaked: How to Change Your Password

LinkedIn users: Change your password.
 
This morning, news broke that a Russian forum has claimed to have downloaded 6.46 million user passwords from LinkedIn and is reaching out to fellow hackers to seek help in cracking the encryption.
 
LinkedIn passwords are encrypted using an algorithm called SHA-1, which is considered very secure but not foolproof. Little other information is available right now, but LinkedIn tweeted that its team is looking into the situation.
 
In the meantime, it's recommended that LinkedIn users change their password as a precaution.
 
To do this, log into your LinkedIn account and click "Settings" from the drop-down menu that appears when you hover over your name (found in the top-right of your screen). Find the change password option under your name and photo. You'll be asked to provide your old password in addition to the new one. Then click "Change password."
 
[Want more LinkedIn tips, tricks and analysis? Check out CIO.com's LinkedIn Bible.] http://www.cio.com/article/495098/LinkedIn_Bible_Everything_You_Need_to_Know_About_the_Social_Network_for_Professionals
 

Published by Resellernews, written By Kristin Burnham, Framingham | Thursday, 07 June 2012
Link to article:  http://reseller.co.nz/reseller.nsf/inews/6m-linkedin-passwords-leaked-how-to-change-your-password?opendocument&utm_source=chbeat&utm_medium=email&utm_campaign=chbeat

[OhauitiWeather]

FAQ: LinkedIn breach: What members (and others) need to know

Here's some information on the apparent major LinkedIn breach for members of the social network, and for all Internet users

Hackers have apparently accessed close to 6.5 million hashed passwords from a LinkedIn database and posted them and data associated with them online. So far, researchers say, about 60 percent of the unique passwords in the dump have been cracked and there are signs that the rest will soon be as well.
 
Here's some information for LinkedIn users specifically, and all Internet users in general.
 
What happened?
Surprisingly, it's not clear yet exactly what happened.
 
Earlier this week, a 118MB file containing 6,458,020 hashed password was posted on a Russian hacker forum. The posters said they needed help in cracking the passwords.
 
Security analysts who inspected the data dump noticed that many of the passwords appeared to be associated with LinkedIn member accounts, which led to the conclusion that all the passwords belonged to members of the social networking site for business professionals. It remains unknown is how the data was obtained, how long the hackers may have had access to it, and what other data might have been accessed.
 
How has LinkedIn responded publicly to the reports?
The company has said precious little so far. Apart from a brief blog post confirming that "some" member passwords were compromised, the company has said nothing about the nature or scope of the compromise.
 
The company says it is investigating the incident.
 
Did the hackers obtain email addresses associated with the passwords?
That remains unclear as well. To this point, only the passwords have surfaced online. But security analysts believe it's likely the hackers have accessed email addresses and other account data as well.
 
If User IDs were not obtained what's the big deal?
If so, that would diminish the seriousness of the compromise. Typically however, password data is stored along with other account details. So if someone had access to the passwords, they very likely had access to other account information as well. The fact that the data has not surfaced could mean that either the hackers don't have it, or they simply haven't released it.
 
What does it mean to me?
If you're a LinkedIn user, it's a good idea to change your password, especially if you use the same password to access other online accounts. Make sure to use a STRONG password.
 
If your password was compromised, you will not be able to use it to log into your LinkedIn account. LinkedIn has said that it is contacting users whose password has been compromised with instructions on how to reset their password. The company has made clear that the email with instructions on how to reset the password will NOT contain any links. If you have not received an email yet, or if you are still able to access your account using your old password, it means that either your password was not compromised, or that LinkedIn doesn't know it yet.
 
What measures had LinkedIn taken to protect member passwords?
Embarrassingly little, or so it appears so far, researchers say.
 
The breached passwords were all masked using a basic hashing algorithm known as SHA-1. Though SHA-1 offers a degree of protection against password cracking attempts, the protocol is by no means foolproof. Numerous password cracking tools tools and tables that contain pre-computed hashes for billions of passwords are easily available. Almost anyone can use these tables to decrypt almost any SHA-1 hash and recover it in plain text in in a matter of minutes. That explains why nearly all of the hashed passwords have been cracked already.
 
How could LinkedIn have done to protect the passwords better?
Security experts say the company should have used a method known as "salting" to make its hashed passwords a lot harder to crack. In the salting process, a string of totally random characters is appended to a plaintext password before it is hashed. A salted hash is considered to be magnitudes times harder to crack than a regular SHA-1 hash. Salting is considered today to be an almost basic security practice for protecting passwords.
 
How can users be sure that more data was not accessed?
That information must come from LinkedIn. It's possible that only password data was stolen. It's equally possible that the intruders gained access to email addresses as well.
 
Similarly, it's possible that a lot more than 6.5 million passwords were compromised. LinkedIn has over 100 million members. It's possible that the hackers released the 6.5 million passwords to show they have the goods to anyone interested in purchasing the purloined data from them. LinkedIn can be a goldmine for identity thieves and phishers.


Published by Computerworld, written By Jaikumar Vijayan | Framingham | Friday, 8 June, 2012 | 2 Comments
Link to article:  http://computerworld.co.nz/news.nsf/news/faq-linkedin-breach-what-members-and-others-need-to-know?opendocument&utm_source=topnews&utm_medium=email&utm_campaign=topnews

[OhauitiWeather]

LinkedIn claims vulnerable passwords have been disabled

Business social network LinkedIn issued more information and advice to its users over the weekend, in the wake of a massive cyber attack in which 6.5 million passwords were stolen.
 
The company said it is working closely with the FBI to pursue the perpetrators, and wants to be as transparent as possible while preserving the security of its members.
 
LinkedIn director Vicente Silveira wrote in a blog post that the compromised passwords were not published with corresponding email logins, meaning that it is unlikely they could be used to hack into accounts.
 
While the vast majority of the passwords were encrypted, a subset was decoded, admitted Silveira. However, all member passwords deemed to be at risk have been disabled, and there have been no reports of member accounts being breached as a result of the stolen passwords.
 
"By the end of Thursday, all passwords on the published list that we believed created risk for our members, based on our investigation, had been disabled," said Silveira. "This is true, regardless of whether or not the passwords were decoded."
 
He added that the company's in-house security team recently completed the transition from a password database system that simply hashes passwords to a system that both hashes and salts passwords, providing an extra level of protection.
 
"We continue to execute on our security roadmap, and we'll be releasing additional enhancements to better protect our members," said Siveira.
 
Following the LinkedIn hack last Wednesday, both the online dating site eHarmony and London radio station Last FM suffered similar password leaks. Graham Cluley, security expert at Sophos, told the BBC that the sites could have shared the same vulnerability.
 
"Can it be coincidence? It seems unlikely to me. There's a mystery in the middle of the LinkedIn breach about how they got the data. You have to worry there's a common vulnerability," he said.
 
Both companies are advising users to change their passwords.


Published by Computerworld, written By Sophie Curtis | London | Tuesday, 12 June, 2012
Link to article:  http://computerworld.co.nz/news.nsf/news/linkedin-claims-vulnerable-passwords-have-been-disabled?opendocument&utm_source=topnews&utm_medium=email&utm_campaign=topnews

[OhauitiWeather]

No accounts breached after password hack: LinkedIn

Professional networking website LinkedIn has posted an update on the password breach it suffered last week, assuring users that no member accounts were accessed as a result, despite the open publishing of many users’ decoded passwords.

The stolen passwords – said to number around 6.5 million – were published online on Thursday, causing the LinkedIn security team to promptly disable the passwords of ‘those members whom we believed were at risk’.

"By the end of Thursday, all passwords on the published list that we believed created risk for our members, based on our investigation, had been disabled,” writes LinkedIn’s Vicente Silveira in a post on the company blog.

"It’s important to know that compromised passwords were not published with corresponding email logins... thus far, we have no reports of member accounts being breached as a result of the stolen passwords.”

All members whose passwords were disabled were sent emails with instructions on how to re-set their passwords. People whose passwords weren’t disabled were not deemed to be at risk, although Silveira adds that changing passwords every few months is ‘good practice’.

In an infographic posted on Mashable (http://mashable.com/2012/06/08/linkedin-stolen-passwords-list/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+Mashable+(Mashable)&utm_content=Google+Reader), data protection company Rapid7 lists the results of its analysis of the stolen passwords, showing that plenty of people are still using common passwords like 12345.

Interestingly, the analysis also showed many people’s passwords related to the purpose of the site, such as ‘work’, ‘job’ and ‘connect’. Other common themes were religion, such as ‘god’, ‘jesus’ and ‘angel’, and swear words.


Published by techday, written By Contributor, Monday, 11th June, 2012
Link to article:  http://www.techday.co.nz/start-up/news/no-accounts-breached-after-password-hack-link/23916/8/

[OhauitiWeather]

LinkedIn user alerts mistakenly blocked as spam

Many of the LinkedIn emails alerts instructing users on how to reset passwords accessed by hackers were dumped into spam boxes, according to email security vendor Cloudmark.
 
In a blog post on Tuesday. Andrew Conway, a Cloudmark researcher, said a substantial increase in spam reports last weekend were traced to LinkedIn password reset email alerts
 
In many cases, the emails that users' marked as spam were legitimate alerts from LinkedIn, Conway said.
 
"Over 4 percent of the people receiving this email thought it was spam and sent it straight to the bit bucket," Conway said. "If Linkedin sends out 6.5 million emails, then a quarter of a million people are congratulating themselves on avoiding spam -- and still have a compromised Linkedin password."
 
Conway said that LinkedIn did all the right things to ensure that users would not treat its emails with suspicion. All were addressed to the recipient by name, did not contain any links and were DomainKeys Identified Mail (DKIM) signed to validate their authenticity.
 
"Even so, it was taken for spam," Conway said. "Part of the problem is that people are used to getting email that they don't want from LinkedIn, and rather than unsubscribe, some of them just mark it as spam and hope that it will go away."
 
In an email to Computerworld US, Conway said that Cloudmark, a provider of messaging security services to internet service providers, monitors messages for clients by assigning a number of digital signatures based on the content of the messages. Thus it can determine which signatures are present on emails that are manually flagged as spam by users.
 
"The Linkedin compromised email message(s) generated several unique signatures, so we are able to measure the rate at which these are marked (by users) as spam," he said.
 
Cloudmark was able to confirm that LinkedIn, and not spammers had sent the alerts because the emails were DKIM signed by Linkedin.com, he said.
 
The alerts were sent after hackers last week accessed about 6.5 million hashed passwords from a LinkedIn database and posted the stolen data on Russian hacker site.

By last weekend, most of the passwords were believed to have been decrypted by hackers and made available in plain text on many sites.

LinkedIn has confirmed the password compromise but released few details about the incident.
 
In three separate LinkedIn communications about the incident, the company didn't say how the passwords were accessed or whether other data, such as email IDs, were also compromised. LinkedIn said only that no email IDs have yet been publicly posted.

The latest LinkedIn update, posted yesterday, repeats much of the information that was included in previous notes.

The latest post did say that all passwords posted by the hackers, and that "we believed created risk for our members, based on our investigation," have been disabled.
 
Since the attack, LinkedIn has come in for some criticism for not better protecting passwords.
 
The company has said that it has completed a "long-planned transition" from merely hashing passwords to a system that both hashes and salts passwords. Salting is a process in which a random string of characters is appended to a password before it is hashed.


Published by Computerworld, written By Jaikumar Vijayan | Framingham | Thursday, 14 June, 2012
Link to article:  http://computerworld.co.nz/news.nsf/security/linkedin-user-alerts-mistakenly-blocked-as-spam?opendocument&utm_source=security&utm_medium=email&utm_campaign=security