Social networking powerhouse LinkedIn is investigating reports that approximately 6.5 million passwords have been stolen, and that their hashed representations have been posted on the Internet.
While the company has neither confirmed nor denied that the posted hashes are actually user passwords, a number of experts in the security field believe it to be true.
“A lot of people in the security field have been comparing hash values, and a lot of their own passwords are showing up -- including my own,” said Dave Pack, director of LogRhythm Labs, a Boulder, Colo-based security managed service provider. “So that's a pretty good indication that this is a legitimate breach.
A number of industry experts also noted that 6.5 million represents only a small subset of the LinkedIn account base, so the actual scale of the alleged breach is yet to be determined.
“It’s common for attackers to release only a limited set of the data to prove that the hack took place,” said Pack. “So the full scope is unknown at this time and possibly could include the full database.”
Regardless of the extent of the breach, anyone in possession of the list must successfully complete at least another layer of hacking before the actual passwords are revealed.
“The attackers have only released that list of cryptographic hashes,” said Chester Wisniewski, senior security advisor at Boston-based Sophos. “We don't know if they have email addresses or names, or any other information. The passwords by themselves are pretty useless because the passwords can be changed. But, we are wondering if the attacker perhaps has a lot more information, and they just released this list so that the community will crack all the passwords so they don't have to use their own computing power to do so. And, once those passwords start getting published, they can match them back to the hashes.”
Wisniewski added that the hashed passwords were not adequately secured. While it stands to reason that anything that can be stolen was not adequately secured, he explained that these were unsalted SHA-1 hashes.
“SHA-1 is currently considered the best algorithm for doing that kind of thing, but the act of salting makes it a lot harder to crack the passwords. Salting is adding something random to everyone's password before it’s encrypted, so you can't perform dictionary attacks as easily. Because they didn't do that, I'm guessing that most of the passwords in this list are going to be figured out within a day. Had they salted them, it could possibly have taken years.”
The attack could have been executed using any number of means, including a SQL injection.
NEXT: What to do now...
Next steps for LinkedIn users appear to be somewhat in debate. Some security experts advocate an immediate password change, but LogRhythm's Pack suggests that users wait until a response comes from LinkedIn.
“If users use that same password on different accounts, they should change all those other account passwords immediately,” he said. “Do not change your LinkedIn password until this is resolved by the company. It’s entirely possible that the attack is still active, meaning that any change of password would be detected, as well.”
Wisniewski from Sophos added that this development represents a perfect opportunity for people to re-examine their approach to passwords.
“When it comes to choosing a password, the three most important things are to use long passwords, don’t choose a dictionary word and use a different password for each separate account,” he said. “If you had a long enough password, it would be really hard to brute force off of this list. If you only use that password at LinkedIn, it won't matter because I'm sure LinkedIn is going to require all their users to change their passwords. And don't use dictionary words, even dictionaries from foreign languages. They look at those too.”