LinkedIn Confirms Security Breach

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Editor's Note: For more on this story, read Lessons From The LinkedIn Password Attack.

In a recent blog post, LinkedIn's Vicente Silveira confirmed that at least some LinkedIn members' passwords have been stolen. "Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid," Silveira writes.

"Users of the social networking site for professionals will also receive an email from LinkedIn with instructions on how to reset their passwords," writes Computerworld's Jaikumar Vijayan. "The email will not contain any links that users will need to click on to reset their password, he noted. Affected customers will also receive a note from LinkedIn with more information on what happened and why they are being asked to reset their passwords, Silveira said."

"[LinkedIn has] also stated that passwords that are reset will now be stored in salted hashed format," notes Sophos' Chester Wisniewski. "What is a salt? It is a string that is added to your password before it is cryptographically hashed. What does this accomplish? It means that password lists cannot be pre-computed based on dictionary attacks or similar techniques. This is an important factor in slowing down people trying to brute force passwords. It buys time and unfortunately the hashes published from LinkedIn did not contain a salt."

Following the breach, ESET researcher Cameron Camp says the security firm has received several reports of spam e-mails asking recipients to confirm their e-mail addresses. "We are investigating the exact details but in the meantime please DO NOT CLICK on links in email to change or verify account information, at LinkedIn.com or on any other membership site," Camp writes. "Instead, navigate to the site directly by typing in the address bar in your browser."

Editor's Note: For more on this story, read Lessons From The LinkedIn Password Attack.