Are you a LinkedIn user? If so, you might want to change your passwords, as 6.5 million passwords belonging to users of the business-centric social network have been leaked onto a Russian hacking forum. The dump contained unsalted passwords hashed using the SHA-1 encryption system, meaning that they are easily decryptable using online tools. No other information has been released, but it is possible that usernames and passwords were also compromised during the attack. Remarkably, LinkedIn’s share price ended the day up 0.09%, only to fall in after hours trading.
6.5 million LinkedIn passwords compromised? Maybe now would be a good time to just delete my account.
—
Ryan Block (@ryan) June 06, 2012
In a blog post regarding the attack and password dump, LinkedIn’s Vincente Silveira explained how the company plans to deal with the compromised accounts, which make up for a small fraction of the network’s reported 161 million users.
We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
- Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
- These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link.
- These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.
It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.
We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously. If you haven’t read it already it is worth checking out my earlier blog post today about updating your password and other account security best practices.
To find out if your password is included in the list, head to LeakedIn which will take your password and hash it using the same SHA-1 encryption, before checking for presences of that hash in the list of passwords. Mercifully mine was not published, but the Digixav offices do have a number of passwords in the leak. Buzzfeed’s John Herrman used the tool to check for some possible passwords, both common and hilarious, and created a list of the best 23. Even if you are not affected by this attack, it should serve as a good reminder to constantly change your passwords and make them unique, but not to make them anything like these.
Hey, whoever's using "penus" as a LinkedIn password, you've apparently been hacked leakedin.org
—
John Herrman (@jwherrman) June 06, 2012
The LinkedIn password "marijuana" has been leaked leakedin.org time to change ur pw bro
—
John Herrman (@jwherrman) June 06, 2012
Attention job hunters who used "horsecock" for a LinkedIn password leakedin.org yfrog.com/nv280cp
—
John Herrman (@jwherrman) June 06, 2012