LinkedIn admitted Wednesday that a hacker managed to steal millions of users'
passwords and post them to the Web, leading the Mountain View
professional-networking service to lock up accounts with stolen passwords.
A user uploaded almost 6.5 million passwords to a Russian Web forum,
claiming that they were from LinkedIn. Although the list that was uploaded to
the forum did not include user names, that does not necessarily mean whoever
managed to extract the passwords did not also obtain the corresponding email
addresses that match those accounts.
After investigating for most of the day Wednesday, LinkedIn Director
Vicente Silveira said in a blog post "that some of the passwords that were
compromised correspond to LinkedIn accounts."
What makes the breach particularly alarming is that it involved a
relatively mature website that is used by tens of millions of people, said
Phil Hochmuth, a security analyst with tech research firm IDC.
The compromise "is disconcerting," he said.
LinkedIn users who have paid for premium accounts -- a minority of its
161 million members -- run the risk of having their credit card information
compromised, said security analysts. But even nonpaying LinkedIn users could
be in danger.
Many consumers use the same password across multiple websites, analysts
noted. So, even if they don't have financial information stored on LinkedIn,
the same email address and password they use on that site could be used to access such information elsewhere.
"People need to think outside of the service," said Lawrence Pingree, a
security analyst at technology research firm Gartner.
Meanwhile, users typically have a great deal of information about
themselves and their associates stored in their LinkedIn accounts. That
information could be used to construct very sophisticated phishing attacks.
LinkedIn users should be "double checking, making sure messages being
sent to them under the guise of connections from LinkedIn ... are legitimate,"
said Hochmuth, adding that their data "might be used to exploit them."
Customers whose passwords were verified as stolen will immediately have
their passwords invalidated, Silveira wrote, and receive an email with
instructions on how to reset it.
"There will not be any links in these emails. For security reasons, you
should never change your password on any website by following a link in an
email," Silveira warned.
Those account holders will also receive a second email from the company's
customer service team with further explanation and details, Silveira wrote.
"We sincerely apologize for the inconvenience this has caused our
members. We take the security of our members very seriously," he said.
But security experts recommended that all users -- not just those alerted
by LinkedIn -- change their passwords.
The uploaded passwords are encrypted, and the hacker who uploaded them
was reportedly seeking assistance in unlocking them. However, the British Web
security consultant who originally detailed the posted passwords said an
investigation showed the passwords to be legitimate and suggested that
LinkedIn customers change their passwords immediately.
The consultant, Graham Cluley of Web security company Sophos, wrote in
his blog post that "although the data which has been released so far does not
include associated email addresses, it is reasonable to assume that such
information may be in the hands of the criminals."
Some users also reported on Twitter that they had found their encrypted,
or "hashed," passwords on the list.
Marcus Carey, a security researcher at Boston-based Rapid7, told Reuters
he was "highly confident" that hackers had wormed their way inside LinkedIn's
network for several days, based on his analysis of the data posted on the
forums.
"While LinkedIn is investigating the breach, the attackers may still have
access to the system," Carey warned. "If the attackers are still entrenched in
the network, then users who have already changed their passwords may have to
do so a second time."
The company's stock initially fell Wednesday after reports of the
passwords' theft, even as Wall Street enjoyed strong gains. But the shares
recovered by the close of trading and ended the session up 8 cents, or 0.1
percent, to $93.08.
