If you’re a LinkedIn user, do yourself a favor and change your password right now — according to a new report from Dagens IT, nearly 6.5 million encrypted LinkedIn passwords were recently dumped onto a Russian hacker forum.
The news comes right on the heels of yet another user security kerfuffle, as the most recent LinkedIn for iOS update was found to transmit users’ meeting notes back to LinkedIn servers without their permission.
Of the millions of passwords dumped, Dagen IT claims that nearly 300,000 of them have been decrypted so far and that number seems sure to grow as users spread that hefty file around.
The passwords are stored as unsalted SHA-1 hashes, and multiple reports on Twitter indicate that users have found their own hashes buried in the massive text dump. While unsalted hashes are much less secure than their salted brethren, it still takes a non-trivial amount of time to decrypt unless a user opted to use a common dictionary word as their password. It’s currently unknown whether or not the email addresses that correspond to those passwords have also been dumped, though if they are in someone’s possession, they apparently don’t feel like sharing.
Considering that LinkedIn reported back in February that 150 million people use the professional networking service (a number that has certainly grown since then), the breach represents a relatively small number of users. Though chances are slim that you yourself are personally affected — 6.5 million people makes up less than 5% of LinkedIn’s userbase — those odds seem unlikely to assuage the concerns of people who are.
For what it’s worth, LinkedIn has just acknowledged that they are aware of these reports, though their most recent tweet doesn’t offer up any additional information:
Our team is currently looking into reports of stolen passwords. Stay tuned for more.
—
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.