LinkedIn users awoke to a nasty surprise today as word spread that hackers breached LinkedIn's servers and leaked passwords for nearly 6.5 million user accounts. LinkedIn didn't acknowledge the hack until midday Wednesday afternoon, when the company finally confirmed that a certain number of member passwords had indeed been compromised.
Who's Behind the Hack?
A user on a public Russian forum is taking credit for the hack, but no one has been able to verify if he or she is really behind this whole mess.
When Did the Hack Take Place?
We don't know when the hack took place, but according to Ars Technica, the hackers posted the data over the course of three days.
What, Exactly, Was Released?
The user posted approximately 6.5 million hashed passwords to the forum, and according to security software firm Sophos, at least 60 percent of those passwords have already been cracked. Thus far no usernames have been released, which either can mean that the hackers didn't manage to download them or they are keeping the usernames for themselves. Either way, that's a lot of leaked private data.
So Is My Account Compromised?
Yes and no. The passwords were all hashed using SHA-1 and so they won't be readable without the right software. Unfortunately SHA-1 isn't entirely foolproof so it could only be a matter of time before all 6.5 million passwords are cracked and converted into plaintext. Since we don't know whether or not the hackers have usernames as well, it's best to assume the worst and consider your account hacked.
What's the Worst That Can Happen?
For one thing, hackers would have control of your account and contacts. If you use the same username and password combo on other sites, then there is a risk that those accounts are now compromised as well.
What About LinkedIn Pro Users? Do I Need to Worry About My Credit Card Info?
LinkedIn hasn't said anything about whether any financial information associated with LinkedIn pro accounts was compromised, so we don't yet know for certain. In either case, you should always keep a close eye on your financial statements to make sure that nobody is using your accounts without your authorization.
What Can I Do Protect Myself?
In a blog post, LinkedIn says that it will email all the users whose accounts were affected by the hack and give them instructions as to what to do next. The company warns that you should not click on any email links asking you to change your password, as that could be someone attempting to steal your information.
If you used the same password or username on other websites (which you really shouldn't do), it might be a good idea to good ahead and change those for good measure. If you need help in building a better password, check out our comprehensive guide on the matter.
For still more tips, see our overview of what to do if you ever become a victim of a data breach. So change your passwords, don't click on any suspicious links, and stay safe out there, folks.
Robert David Graham, CEO of the security consultancy Errata Security, wrote that each letter of a password has 100 possible combinations composed of either upper or lower case, digits or symbols. A five-letter password would have 10 billion possible combinations and could be cracked in five seconds using a top-of-the-line Radeon HD 7970 graphics processor.
A six-letter password would take a little over seven seconds, but a seven-letter password would take 13 hours, Graham wrote. Eight characters pushes the time up to 57 days, with a nine-character password taking up to 15 years.
"In other words, if your password was seven letters, the hacker has already cracked it, but if it's nine letters, it's too difficult to crack with brute force," Graham wrote.
No comments:
Post a Comment