It's been a rough week for LinkedIn. On Wednesday morning, reports of an alleged breach into social networking site LinkedIn began to appear online. At risk were over six million passwords, which had been posted to a Russian hacking site. LinkedIn did not confirm the breach until later in the day and to date has provided few details.
LinkedIn spokesperson Danielle Restivo told eSecurity Planet that the company is declining to provide any comments beyond what has been posted to the company's blog and Twitter account. In the blog post, LinkedIn spokesperson Vicente Silveira does not explicitly state how many accounts were breached or how the attack occurred.
What is clear is that users who have had their passwords leaked will no longer be able to access LinkedIn and will instead be directed to obtain a new login password. Silveira also noted that LinkedIn will be sending an email to instruct affected users on how to update passwords. Predictably, this announcement has led to a string of phishing attacks over the last day. Over the span of a 6 hour period, eSecurity Planet received multiple phishing emails requesting LinkedIn password resets. The key difference between legitimate LinkedIn emails and these phishing scams is that there are no links to click in the real email from LinkedIn.
Users should also beware third-party sites that claim to check whether a LinkedIn password has been compromised. One such site launched yesterday at LeakedIn.org. A day later, security researcher Stefan Esser found that the site leaks password hashes to GetClicky, a user tracking service. Lesson: Never trust a third-party site with your username and password.
Hashed, But Not Salted
There has been some speculation that the fact that LinkedIn did not "salt" their passwords has made it easier for attackers to crack them. The leaked LinkedIn passwords were stored as SHA-1 hashes.
"Salting stored hashes increases the complexity of the encrypted password data, beyond the point where it can be cracked in a reasonable amount of time," said Jim Walter, manager of McAfee's Threat Intelligence Service (MTIS), in an interview with eSecurity Planet. "Failing to store passwords in a secure manner allows for quick and easy decryption of the hashes, revealing the plain-text passwords."
Walter noted that the Linkedin lists were basic SHA-1 hashes. Dating site eHarmony was also breached this week in a similar manner and the various eHarmony lists are MD5-based.
"Both of these algorithms have well-documented weaknesses, and simple hashes with restricted lengths can quickly be 'cracked' by any determined individual," Walter said.
Walter added that LinkedIn has stated that they will be increasing security with respect to passwords and password storage. Password "salting" will now be introduced going forward, but Walter said he expects it may take the company some time to regain user trust after overlooking such an established and vital step in the storage of critical and sensitive data.
Marcus Carey, security researcher at Rapid7, told eSecurity Planetthat while salted password hashes definitely take more time and effort to crack, a determined hacker can succeed nonetheless -- given enough time and resources.
"Developers should use salted password hashes, but it only extends the inevitable compromise," Carey said.
Secure Web Apps Are Key
So what can enterprise organizations learn from this attack? Carey of Rapid7 says the key to password security ultimately begins with developers writing secure web applications that resist password leakage and remote code execution.
"The reality is that once an endpoint is compromised, all related passwords should be considered compromised," Carey stressed.
While good system security is the foundation for password security, individual end-users can still exercise some control over their own fates. McAfee's Walter noted that the LinkedIn hack is a good reminder to all internet users about the importance of maintaining a complex password and changing it often.
"A secure passphrase may be the only thing standing between your personal data and those that wish to steal it," Walter said. "In short, where passwords are required: Keep them complex, keep them unique, and change them often."
Rapid7's Carey suggest that organizations should also enforce more rigorous password security amongst their users by requiring longer passwords that contain a minimum of 12 characters made up of a mixture of character types.
"Users should be reminded not to reuse passwords and to avoid using obvious words such as 'password,'" Carey said.