Users of popular business orientated social network LinkedIn are being advised to login to their accounts and change their passwords immediately. In early June 2012, a file containing millions of LinkedIn passwords was reportedly published online. A report about the attack on Mashable Tech notes:
A Russian forum user claims he has hacked LinkedIn, uploading 6,458,020 encrypted passwords (without usernames) as proof.
The passwords are encrypted with the SHA-1 cryptographic hash function, used in SSL and TLS and generally considered to be relatively secure, but not foolproof. Unfortunately, it also seems that passwords are stored as unsalted hashes, which it makes it much easier to decipher them using pre-computed rainbow tables.
Security expert Graham Cluley of Sophos has also warned about the incident, noting:
A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the internet, and hackers are working together to crack them.
LinkedInAlthough the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals.
Investigations by Sophos researchers have confirmed that the file does contain, at least in part, LinkedIn passwords.
We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts.
Given that many people tend to use the same passwords across multiple services, the potential security implications may not stop at LinkedIn.
To change your LinkedIn password:
Login to your LinkedIn account
Click on your name on the top right of the page.
Choose the "Password change" option and follow the instructions
If you are using the same password for different services, it might be wise to change them as well. (And, if your are using the same password for multiple sites, now would be a great time to protect yourself against future attacks by picking new and unique passwords for each and every account.)
The LinkedIn blog offers more information about how the company is dealing with the attack.