LinkedIn finally confirmed late on 6 June, 2012, that it suspected that the business-focusedwebsite had been hacked.
They also reported that the major security breach reported on many news channels did appear to be accurate. Although LinkedIn has not officially put out any sort of definitive statement, it appears that over 6.5 million passwords have been leaked to a Russian chat forum. Although this number is small in terms of LinkedIn’s overall social media reach which is currently estimated at over 161 million users globally, it will still cause the social media channel a major headache.
LinkedIn has now confirmed the hack on the company’s blog, and has outlined the steps it will be taking to deal with the situation.
Vincente Silveira, director at LinkedIn has claimed that it is advisable that any member of the social media forum would be wise to change their passwords, regardless of whether they have been hacked or not. What the company has said if it finds any accounts with email notification will be sent directly to the user advising them to visit the website and change passwords. The reason why this is so important is because many people use the same password for a number of different social media and e-commerce accounts.
There is, subsequently, a risk that unscrupulous criminals might get hold of the sensitive information and try to defraud users.
It is believed that LinkedIn’s own security advisers suspected that the business-focused social network had suffered a major breach of its password database, when a file containing 6.5 million unique hashed passwords appeared in an online forum based in Russia. However, the file only contains passwords hashed using the SHA-1 algorithm and does not include user names or any other data, the same security researchers say. None the less, the breach is thought to be so serious that security professionals are advising users to change their LinkedIn passwords immediately.
It’s unknown at this point how the file ended up on a public forum or exactly which site the passwords originate from; however, many of the 200,000 passwords that have already been cracked and published to the forum have the common term “LinkedIn” in them, according to Per Thorsheim, a security advisor based in Norway, who spoke to PCWorld.
However, in an attempt to reassure users Silveira has written on the site blog that:
“It is worth noting that the affected members who update their passwords, and members whose passwords have not been compromised, benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.”
None the less Thorsheim believes that as 6.5 million unsalted hashes have been exposed, then it doesn’t really matter how long or difficult to guess any password is: anyone whose password has been exposed is at risk.