Under the name ‘dwdm’, the hacker has apparently posted a file containing encrypted passwords onto a Russian internet forum and invited members of the hacking community to help with the illegal decryption process.
Security experts from data protection companies have reported the passwords to be circulating in the form of a cryptographic ‘hash’. This converts text into a seemingly random string of numbers and letters using a specific mathematical formula.
The claim is that “hundreds of thousands” of passwords may already have been hacked, but upwards of six million passwords are potentially at risk.
Damaging for individuals, damaging for business
Orlando Scott-Cowley, a security expert at cloud e-mail firm Mimecast, commented: “While a data leak of this kind would be very worrying for individuals, a security issue with LinkedIn could also be potentially damaging for businesses. With many users seeing the site as an extension of their own business communications rather than as a personal social media tool, employers need to be aware of the possible threat to corporate data that a LinkedIn breach could represent. Now is a great time to educate corporate users on the benefits of password complexity and good password policies.”
Scott-Cowley added: “With LinkedIn now seen as a valid form of communications by the majority of organisations, I imagine there will be quite a few nervous IT teams waiting on updates from LinkedIn on these rumours. Since LinkedIn has become so ubiquitous in most businesses I would recommend that IT teams are proactive about this and tell their users to change their passwords today.”
John Yeo, director at Trustwave SpiderLabs EMEA, told Info4Security: “In light of the news that up to 6.5 million LinkedIn passwords may have been compromised, it’s important for all users of the social network to immediately change their password, not just on LinkedIn but also on any other social network or digital accounts where the same password has been used. Perhaps more importantly, however, users should also change any passwords to their corporate networks where they have used the same password.”
Recent conducted by Trustwave SpiderLabs found that, in over 2.5 million passwords (in use within the workplace) analysed, variations on the word ‘Password’ made up more than 5% of all passwords, while the most common password used by global businesses is ‘Password1’ simply because it satisfies the default Microsoft Active Directory complexity setting.
In approximately 15% of physical security tests, written passwords were found on and around workstations.
“This research shows that, time and again, users are failing to adopt secure passwords and Best Practice on security fundamentals,” stressed Yeo. “Organisations need to consider more secure login methods such as two-factor authentication. Having a technological control such as this in place can reduce the impact of compromised passwords.”
Three ramifications re: LinkedIn compromise
Carl Leonard, senior security research manager EMEA at IT security firm Websense, explained: “The compromise of a LinkedIn account has three important ramifications. First, the key concern is the bad actors taking advantage of trust. If you are ‘linked’ to a trusted colleague you are more likely to click on a malicious link sent from them, which may open the door to targeted attacks and confidential data theft.”
Leonard continued: “Second, because many LinkedIn accounts are tied to other social media services such as Facebook or Twitter, posts with malicious links can also be propagated to a larger audience. Last, but not least, many of us are creatures of habit and have the same password for multiple accounts. The consequences of a breached password could be extrapolated across e-mail, social media, banking accounts and mobile phone data.”
Websense has released a blog investigating the hack and providing advice to LinkedIn members.
Could the scale of the problem be more extensive?
The Russian hacker forum is said to specialise in ‘hash cracking’: in other words deciphering passwords that have been hashed (a method that scrambles a user’s password).
Imperva’s Application Defence Centre (ADC) has analysed this file. One member of the forum was able to crack (ie ‘find out’) the original passwords for 100,000 of the hashes. Imperva’s ADC have this file as well.
Worryingly, Imperva believes the size of the LinkedIn breach may potentially be much bigger than the 6.5 million accounts figure quoted across national media.
Two data points focused on by the company indicate why this could be the case:
- First, the password list is missing the ‘easy’ passwords. The password files do not contain easy to crack passwords such as ‘123456’ that are traditionally the most common choice of passwords. This is strange, so why is this happening? Most likely, the hacker has figured out the easy passwords and needs help with less common ones, so the dwdm hacker only published the more complicated ones. Most likely, many of the passwords haven’t been revealed.
- Second, passwords are typically listed only once. In other words, the list doesn’t reveal how many times a password was used by the consumers. This means that a single entry in this list can be used by more than one person.
For reference purposes, in the widely publicised RockYou hack the 5,000 most popular passwords were used by a share of 20% of the users. Imperva believes that to be the case here as well: another indicator that the LinkedIn passwords breach cohort could exceed the 6.5 million figure.
Were the LinkedIn passwords properly protected?
Imperva believes the LinkedIn passwords weren’t properly protected. In ‘geek speak’, Imperva suggests the hashes were ‘unsalted’ sha1 hashes. Not salting is a bad practice that Imperva detailed in last month’s report on the Militarysingles breach.
In layman’s terms, ‘salting’ complicates the process of a hacker cracking a password. Not only do you encrypt the password, but also append it with a random string of characters so, even if those passwords are revealed, they look like ‘gobbledygook’.
“LinkedIn was probably breached but the password database doesn’t indicate this specifically,” said Imperva. “Many of the passwords contained a high volume of the word – or a variation of the word – ‘linkedin’. This indicates that the pool of passwords comes from LinkedIn, though the hacker hasn’t specifically made such a connection.”
The password set shows that 13 passwords contained ‘linkedin’, 509 passwords contained ‘linked’ and 1,134 passwords contained ‘link’.
In the aforementioned RockYou breach, the password ‘rockyou’ was the seventh most popular on that site. Since there are no corresponding usernames, Imperva cannot validate if these are really valid LinkedIn.com credentials. However, it’s safe to assume that the hacker was able to get them, but he doesn’t want to give away this data to fellow crackers.
LinkedIn’s official response
On the company’s official blog, LinkedIn director Vicente Silveira stated: “We want to provide you with an update on reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts.”
(1) Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
(2) These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this e-mail. Once you follow this step and request password assistance you will receive an e-mail from LinkedIn with a password reset link.
(3) These affected members will receive a second e-mail from the Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.
Silveira added: “It’s worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.”
He concluded: “We sincerely apologise for the inconvenience this has caused our members. We take the security of our members very seriously.”
LinkedIn has officially recommended that users change their passwords immediately. Here are some instructions on how to do this:
- Visit www.linkedin.com and login with your details
- Once logged-in, hover over your name in the top right-hand corner of the screen and select ‘Settings’ from the drop-down menu (note that, at this point, you may be asked to login again)
- On the next screen, click the ‘Account’ button which is near the bottom of the page
- Under the ‘E-mail and Password’ heading you’ll find a link to change your password
Remember that if you use the same password on other sites make sure you change those as well.