Update: LinkedIn has posted another blog post stating that it’s working with law enforcement to catch the culprits responsible and that it has yet to hear of any accounts becoming accessed by another party. The company also states that its current password databased is now salted as well as hashed, for added protection. We’ll update this story once we hear more.
Update 6/7/2012: LinkedIn offered more safety suggestions on its blog to LinkedIn members.
LinkedIn users awoke to a nasty surprise Wednesday as word spread that hackers breached LinkedIn’s servers and leaked passwords for nearly 6.5 million user accounts. LinkedIn didn’t acknowledge the hack until midday Wednesday afternoon, when the company finally confirmed that a certain number of member passwords had indeed been compromised.
Who’s Behind the Hack?
A user on a public Russian forum is taking credit for the hack, but no one has been able to verify if he or she is really behind this whole mess.
When Did the Hack Take Place?
We don’t know when the hack took place, but according to Ars Technica, the hackers posted the data over the course of three days.
What, Exactly, Was Released?
The user posted approximately 6.5 million hashed passwords to the forum, and according to security software firm Sophos, at least 60 percent of those passwords have already been cracked. Thus far no usernames have been released, which either can mean that the hackers didn’t manage to download them or they are keeping the usernames for themselves. Either way, that’s a lot of leaked private data.
So Is My Account Compromised?
Yes and no. The passwords were all hashed using SHA-1 and so they won’t be readable outright. Unfortunately SHA-1 isn’t entirely foolproof and can still be cracked through the use of brute-force attacks. These would require the attacker to insert several million words or phrases into the SHA-1 algorithm and compare the results against the list of leaked passwords. Since we don’t know whether or not the hackers have usernames as well, it’s best to assume the worst and consider your account hacked.
What’s the Worst That Can Happen?
For one thing, hackers would have control of your account and contacts. If you use the same username and password combo on other sites, then there is a risk that those accounts are now compromised as well.
What About LinkedIn Pro Users? Do I Need to Worry About My Credit Card Info?
LinkedIn hasn’t said anything about whether any financial information associated with LinkedIn pro accounts was compromised, so we don’t yet know for certain. In either case, you should always keep a close eye on your financial statements to make sure that nobody is using your accounts without your authorization.
What Can I Do Protect Myself?
In a blog post, LinkedIn says that it will email all the users whose accounts were affected by the hack and give them instructions as to what to do next. The company warns that you should not click on any email links asking you to change your password, as that could be someone attempting to steal your information.
If you used the same password or username on other websites (which you really shouldn’t do), it might be a good idea to good ahead and change those for good measure. If you need help in building a better password, check out our comprehensive guide on the matter.
For still more tips, see our overview of what to do if you ever become a victim of a data breach. So change your passwords, don’t click on any suspicious links, and stay safe out there, folks.