LinkedIn is investigating reports that approximately 6.4 million user passwords have been posted on the Web. While the breach is still unconfirmed by LinkedIn (as of the time that we wrote this blog), they have acknowledged on their Twitter feed that their investigations have begun.
If you're a LinkedIn user, Websense® Security Labs™ recommends that you change your password immediately to help prevent your password from falling into the wrong hands.
After retrieving the password files that are being distributed on forums in the .ru TLD space, it appears that the passwords are hashed. However, based on samples seen by us, it has not been computationally difficult to translate them into clear text. Our initial investigations reveal that a password of "linkedin" features heavily.
It is uncertain how the hackers retrieved the stolen passwords; however, the passwords that users are finding in the hashed files do appear to be real. We have identified the locations of several such password files and have classified those locations as Hacking.
So you may be asking how this list of stolen passwords can be used by a hacker?
The most potentially damaging combination would be using the corresponding username in conjunction with the stolen password. With this combination, you can imagine how a hacker may access an individual's LinkedIn account.
Once access to LinkedIn is obtained, or any social network for that matter, it could be possible to send direct messages to contacts within the network or to potentially auto-post on related social networks, thus harming the reputation of the individual or the business they may represent.
Now that hackers have a long list of potential passwords used, brute force attacks could become easier to conduct as a result of having this intelligence.
Even if these reports remain unconfirmed, it is definitely a good time to adopt sound practices around password security to help protect against malicious activity.
We in the Security Labs would like to offer the following recommendations:
- Change your password regularly.
- Ensure your password is suitably complex both in content and length; using a combination of numeric and alphabetic characters is a wise idea, as is mixing upper and lowercase characters with punctuation marks. Longer passwords are preferable.
- Do not use the same password across multiple services.
- If the website you are connecting to has the option of using the HTTPS protocol, as opposed to HTTP, make use of that.