LinkedIn Password Breach Spawns Spam Campaign

A data breach at LinkedIn, the business-oriented social networking site, has spawned a spam campaign that tries to take advantage of users worried that their passwords were among the 6.46 million posted on the Internet.

The spam campaign uses service messages pretending to be from LinkedIn, but no connection has been established between the data breach and the spam messages.

“Because similar e-mails have been circulating for some time, it is hard to say if this is an example of a coordinated scam designed to leverage the security breach made public [Wednesday], or simply a coincidence (like getting a phishing e-mail asking you to reset your Bank of America online banking password two days after you opened an account there),” Cameron Camp, a security researcher at Eset, wrote in a company blog.

The bogus LinkedIn message, crafted to look like a genuine communication from the site, asks the recipient to confirm his or her e-mail address and contains a link for doing so. Clicking the link spirits the target to an illegal online pharmacy selling Viagra and other medications.

The campaign couldn’t come at a worse time for LinkedIn, which has been using e-mail to communicate with its members affected by the massive breach of its systems.

Aware that clicking on links in e-mails is a bad security practice, LinkedIn is using a two-step process. Users affected by the breach first receive an e-mail without any links in it. It informs the member that they must reset their password and provides them with steps for doing so.

After completing those steps and requesting password assistance, the member will receive a second e-mail with a password reset link.

“It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases,” LinkedIn’s director, Vicente Silveira, wrote in a company blog.

LinkedIn was criticized when the breach was revealed for not “salting” the password hashes of its members. Hashing a password encrypts it so that it’s unintelligible to the naked eye. But hashing schemes yield the same hash for the same password. So for all sites using an encryption scheme like SHA-1, a password like linkedin123 would have the same hash across all the sites. That makes the hashes easy to crack with the right reference tools.

Salting the hashes adds random characters to the hash. That makes each hash unique and much tougher to crack.

LinkedIn wasn’t the only website targeted by hackers this week. Online dating site eHarmony was also penetrated and 1.5 million password hashes were posted to the Web.

Hackers typically post hashes they’re having difficulty cracking to the Internet to get help from their colleagues in deciphering the passwords.

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.