Thursday, June 7, 2012

LinkedIn Leak - What You Need To Know (And Do)

If you've got a LinkedIn account (and most working professionals do), you should probably check this out:

LinkedIn users awoke to a nasty surprise today as word spread that hackers breached LinkedIn's servers and leaked passwords for nearly 6.5 million user accounts. LinkedIn didn't acknowledge the hack until midday Wednesday afternoon, when the company finally confirmed that a certain number of member passwords had indeed been compromised.

Who's Behind the Hack?

A user on a public Russian forum is taking credit for the hack, but no one has been able to verify if he or she is really behind this whole mess.

When Did the Hack Take Place?

We don't know when the hack took place, but according to Ars Technica, the hackers posted the data over the course of three days.

What, Exactly, Was Released?

The user posted approximately 6.5 million hashed passwords to the forum, and according to security software firm Sophos, at least 60 percent of those passwords have already been cracked. Thus far no usernames have been released, which either can mean that the hackers didn't manage to download them or they are keeping the usernames for themselves. Either way, that's a lot of leaked private data.

So Is My Account Compromised?

Yes and no. The passwords were all hashed using SHA-1 and so they won't be readable without the right software. Unfortunately SHA-1 isn't entirely foolproof so it could only be a matter of time before all 6.5 million passwords are cracked and converted into plaintext. Since we don't know whether or not the hackers have usernames as well, it's best to assume the worst and consider your account hacked.

What's the Worst That Can Happen?

For one thing, hackers would have control of your account and contacts. If you use the same username and password combo on other sites, then there is a risk that those accounts are now compromised as well.

What About LinkedIn Pro Users? Do I Need to Worry About My Credit Card Info?

LinkedIn hasn't said anything about whether any financial information associated with LinkedIn pro accounts was compromised, so we don't yet know for certain. In either case, you should always keep a close eye on your financial statements to make sure that nobody is using your accounts without your authorization.

What Can I Do Protect Myself?

In a blog post, LinkedIn says that it will email all the users whose accounts were affected by the hack and give them instructions as to what to do next. The company warns that you should not click on any email links asking you to change your password, as that could be someone attempting to steal your information.

If you used the same password or username on other websites (which you really shouldn't do), it might be a good idea to good ahead and change those for good measure. If you need help in building a better password, check out our comprehensive guide on the matter.

For still more tips, see our overview of what to do if you ever become a victim of a data breach. So change your passwords, don't click on any suspicious links, and stay safe out there, folks.

I saw the LeakedIn link earlier but it seemed like it might have been a phishing scam itself, so I didn't try it.  However, after doing a bit more research, I was able to confirm the site from two  or three different reputable sources, so I'm convinced it should be safe.  Also, it just asks you for your password, not the combination of the password and username.

Online security is becoming a bigger deal with each passing year, so this sort of thing is going to become a regular fixture of life, I think.  Something critical to keep in mind can be found in a separate article about the breach here:

Robert David Graham, CEO of the security consultancy Errata Security, wrote that each letter of a password has 100 possible combinations composed of either upper or lower case, digits or symbols. A five-letter password would have 10 billion possible combinations and could be cracked in five seconds using a top-of-the-line Radeon HD 7970 graphics processor.

A six-letter password would take a little over seven seconds, but a seven-letter password would take 13 hours, Graham wrote. Eight characters pushes the time up to 57 days, with a nine-character password taking up to 15 years.

"In other words, if your password was seven letters, the hacker has already cracked it, but if it's nine letters, it's too difficult to crack with brute force," Graham wrote.

So, as you create passwords for new logins (or improve your old ones), make sure those passwords have at least nine characters, maybe more.  Hackers probably aren't going to labor intensively over the 10% of their stolen database that is well protected; they're going to shoot for the easy-to-crack 90%, sell the data, and move on as quickly as possible.

For a really comprehensive way to create solid passwords, go here.  If you're not inclined to go to quite that much effort, then at least apply these common sense precautions:
1. use at least 9 characters
2. include at least 1 capital letter and 1 number
3. make sure it's not a word that can be found in the dictionary

A little common sense protection and prevention can prevent a truckload of hassle -- or even genuine damage -- later, so don't put this off if you haven't beefed up your personal security yet.

No comments:

Post a Comment