LinkedIn is hacked: Russian hacker steals 6.5 million LinkedIn passwords

Computer security experts and news agencies worldwide are reporting an outrageous hack causing the leak of about 6.5 million LinkedIn passwords today. Below are details of the LinkedIn hack and tips to avoid identity theft due to this jeopardy.

Today’s message on one of the Russian forums stirred up the entire Internet community. A user nicknamed ‘dwdm’ announced to have succeeded in hacking the worldwide business social network LinkedIn, stealing 6.5 million users’ personal data. As an evidence of his ‘deed’, he published 6,458,020 hashed passwords online.

Although this seemed likely to be a false alarm when the message came online, a number of Twitter users started confirming to have found their hashed passwords on the uploaded infamous list. The passwords appeared to be encrypted using the SHA-1 algorithm which is widely used for securing SSL and TLS connections. The latter are considered to be quite secure, so strong passwords might take a while to decrypt, whereas weak ones may turn out to be a ‘piece of cake’ for potential cyber intruders.

The Chief Research Officer at F-Secure Mikko Hypponen has verified the leaked database to contain genuine user data. He assumes the hacker might have taken advantage of some web interface exploit, i.e. a set of commands that allowed bypassing LinkedIn’s security due to known vulnerabilities. Hypponen also pointed out there’s nothing particularly wrong about keeping SHA-1 encrypted hashes as it has proven to be a fairly reliable and hard-to-crack algorithm used extensively in computer security. However, double hashing would have been a great idea to implement here to begin with – this would be an efficient countermeasure for password decryption.

LinkedIn has eventually made an official announcement via Twitter, stating that their team is “currently looking into reports on stolen passwords”. Whereas subsequent Tweets by the company haven’t explicitly confirmed the breach thus far, the leaked data is obviously out there.

Therefore, in case you have an account with LinkedIn, here is a set of tips to help you avoid falling victim to identity theft:

1. Change your password immediately:

• Visit www.linkedin.com, and log in as usual with your credentials.
• In case you do not remember your password, clicking on the ‘Forgot password’? link on the ‘Sign in’ page to get password help.
• Do not change your password by following a link in an email your received because such links might be bogus and reroute you to the wrong page.
• Having logged in, hover over your name in the top right-hand corner of the screen, and choose ‘Settings’ in the menu that appears.
• On the ‘Settings’ screen, click the ‘Account’ button which is around the bottom of the page.
• Under ‘Email & Password’ section, you will find a link to change your password.

2. Create a new strong password:

• Make the password at least 10 characters long, using upper and lower case letters, numbers and non-alphanumeric symbols.
• Do not use words from the dictionary.
• You might want to consider using password management software to get all of this done automatically if you like.

3. Other security tips:

• In case you were using the old LinkedIn password to log into other online services, be sure to immediately change those passwords as well.
• Do not give your password to others or write it down.
• Avoid putting your email address, location details or phone number in your personal profile.
• Do not forgent to log out of your account after using a publicly shared computer.
• Make sure your antivirus software is up-to-date.

LinkedIn has over 150 million users around the globe. This hack could affect less than 5 percent of its user base, but it may substantially influence this social network’s reputation.