More than 6 million Linkedin passwords stolen

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.
Linkedin

NEW YORK (CNNMoney) — Russian hackers released a giant list of passwords this week, and on Wednesday security researchers identified their likely source: business social networking site LinkedIn.

LinkedIn confirmed in a blog post late Wednesday afternoon that some of the stolen passwords correspond to LinkedIn accounts.

The company did not offer any information about how the passwords were stolen or the extent of the damage, but it said it is “continuing to investigate” the matter.

The 6.5 million leaked passwords were posted Monday on a Russian online forum, camouflaged with a common cryptographic code called SHA-1 hash. It’s a format that’s considered weak if added precautions aren’t taken. Roughly half of the “hashed” passwords have already been decoded and posted online in human-readable text.

Several security researchers tweeted Wednesday that they have found their passwords among those that were revealed. Web security firm Sophos said it matched many of its researchers’ own passwords that are used exclusively on LinkedIn.

Countless passwords on the list contain the word “linkedin.” On a popular hacker forum, many reported finding passwords such as “linkedout,” “recruiter,” “googlerecruiter,” “toprecruiter,” “superrecruiter,” “humanresources” and “hiring.”

There’s good news and bad news about this break-in.

The good news is that so far, no user names have been discovered in the list. It’s highly recommended that you change your password, but after that you should be okay.

The bad news is that LinkedIn was using an outdated form of cryptography to secure its users’ private information. The company should have known better than to guard its lists with just SHA-1, experts say.

AlertMe