It’s been the story of the week; someone dumps a list of more than six million passwords on a Russian forum, and teams of people start cracking them. There are clear indications that they came from LinkedIn, which the social network later confirmed. Shortly after that, dating site eHarmony says they too had accounts compromised by the leak, and now Last.fm is in the mix. Here’s a recap, and a look at the letter LinkedIn is sending to users.
Given that many of you reading this have a LinkedIn account, we feel it is worth keeping tabs on things, despite the repeated coverage theme. For a recount of what’s happened so far, head here and here.
As we said, LinkedIn confirmed they had accounts exposed by the massive hash leak, and eHarmony did the same. While this was taking place, scammers have jumped on the bandwagon. They’re using the news cycle to their advantage, blasting out thousands of emails in a Phishing attack, which claims to warn the user about the LinkedIn incident and offers help with password resets.
On Thursday, Last.fm, a highly popular music recommendation service, became the third massively large website to warn users about password security. It seems that they too had accounts exposed by the leaked password hashes.
“We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately,” a blog post from the service stated.
A similar warning is also displayed when a user accesses their account.
At this point, the $10,000 question is three-fold; who is behind the string of breaches; what else have they hit; and how did they do it. Given that no one is use, the fear is that password resets are useless, given that if there is a vulnerability that remains unpatched, the attackers can simply get the new passwords.
The issue of salting hashes has come to focus as well, thanks to all of this mess. F-Secure has a great write-up on the topic that’s worth reading. You can see that here.
Finally, LinkedIn is sending emails to users in order to warn about the breach. Here’s what arrived in my inbox this morning.
“We recently became aware that some LinkedIn passwords were compromised and posted on a hacker website. We immediately launched an investigation and we have reason to believe that your password was included in the post. To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member’s account as a result of this event. While a small subset of the passwords was decoded and published, we do not believe yours was among them,” the letter states in part.
As you can see, the letter told me that my password was included in the leaked post, but they’re not certain if it was cracked. If it was, it’s no loss. I only used that password for LinkedIn and I changed it the day I wrote the first story. The rest of the email offers tips on resetting the password, and an apology.
We’ll keep following the story and report new developments as needed.
Related Reading: Busting Myths: Why SSL ≠ Application Security