Already in the spotlight over the way its iOS app collects information, including full meeting notes and details from a device’s calendar, LinkedIn is in trouble again. Anyone with a LinkedIn account, even if they do not use their mobile app, has to be concerned. 6.5 million hashed and encrypted user passwords have reportedly been leaked.
Norwegian IT website Dagens IT first reported the breach, noting that the 6.5 million passwords were posted to a Russian hacker site.
LinkedIn has not yet confirmed the theft, instead Tweeting that they are investigating. However, at least one user has confirmed via Tweet that his password was among those in the data, meaning that even without company confirmation, it is apparently LinkedIn data.
Security expert Per Thorsheim Tweeted that the hackers have posted the encrypted passwords in order to get help in decrypting them. User details have not been posted to the Russian site; however, it is believed that the hackers most likely have access to user data as well as the passwords.
Looking at the data, it seems obvious that a number of the passwords are identical. As we’ve seen before, a lot of people still tend to use simple passwords such as “123456” or “password.” That includes government officials.
The unsalted hashes use SHA-1 encryption, which is somewhat secure. However, it can be cracked if the user employs a simple dictionary password (such as “password or a real word).
It’s the second reported FUBAR for LinkedIn in the last 24 hours. Earlier, on Tuesday, it was noted that LinkedIn’s iOS app sends back calendar data to the mother ship. While you have to opt-in to the app’s calendar viewing feature, the fact that data is sent to LinkedIn – unencrypted, no less – was not divulged.
Nicely, LinkedIn responded quickly and modified the Android app to remove that functionality, making it live in Google Play immediately. An updated iOS app awaits App Store approval.
Protecting Yourself
While we have a LinkedIn account, we have been using a password storage and management system called LastPass for some time (there are plenty of others, including Roboform and KeePass). It allows us to generate strong passwords and keep track of them, even pushing them to our mobile devices as well (although that function requires payment; online-only access through the browser is free).
When we looked at our LinkedIn password, we discovered it was quite strong, and not one of the passwords we use for some commonly used accounts. We changed it, but lesson learned: never use the same password repeatedly, and make sure it is strong, as well.
That said, we will admit there are a couple of passwords we do use repeatedly for some commonly used accounts, ones that we have memorized. They are still strong, however.