Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

LinkedIn Confirms Password Leak, eHarmony Also Admits Breach

Yesterday, SecurityWeek published an early report on a story from Dangens IT that a hashed password list containing some 6.5 million records may have been leaked from LinkedIn. Throughout the morning, several people examining the list of password hashes reported discovering their own credentials in the stolen list.

Yesterday, SecurityWeek published an early report on a story from Dangens IT that a hashed password list containing some 6.5 million records may have been leaked from LinkedIn. Throughout the morning, several people examining the list of password hashes reported discovering their own credentials in the stolen list. By the afternoon, LinkedIn confirmed the security incident, and dating site eHarmony added to the news cycle by reporting that they too were breached.

Commenting on the incident earlier in the morning Troy Gill, a security analyst for AppRiver said, “While technically no accounts have been hacked yet, I am sure they could be very quickly…”

“The good news is that the passwords are encrypted using SHA-1 with means the hacker will still have to exert some effort to crack them but strong and complex passwords will take a much greater amount of time and resources than a simple password. Therefore those with a complex and lengthy password will be much safer than those without.”

As it turns out, the unsalted SHA-1 password hashes were trivial to crack using basic tools. LinkedIn has started taking heat for their lack of additional protection to the hashes themselves, as adding additional strength to a password hash, a process known as salting, is just a basic layer of protection for database security.

After admitting that there was a password leak form their site, LinkedIn did report that they are adding salt to the new hashing process.

“It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases,” LinkedIn noted in a statement.

By now, most of the 6.5 million passwords taken from LinkedIn and leaked to a Russian forum have been cracked, so if you haven’t yet – go change your password.

In addition to LinkedIn, dating site eHarmony examined the list of leaked passwords and confirmed speculation that they were breached as well.

Advertisement. Scroll to continue reading.

“After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected… We deeply regret any inconvenience this causes any of our users,” they said in a statement.

Based on the list, eHarmony also failed to take the additional step of salting their hashes, and their attempt to highlight security failed, as measures such as SSL do little to stop someone with the necessary authentication from accessing the site. It remains unclear how the passwords were accessed in the first place. Neither LinkedIn or eHarmony has mentioned discovering a vulnerability or patching one, so it is possible that the criminals who obtained the first list could obtain another list in the future.

We’ll follow the story and report any new developments.

Related ReadingBusting Myths: Why SSL ≠ Application Security

RelatedCombating Password Cracking Tools in the Enterprise

Related: How Passwords Are Cracked and How You Can Keep Them Safer

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.