LinkedIn has confirmed that some of the password hashes that were posted online do match users of its service.
They have also stated that passwords that are reset will now be stored in salted hashed format. A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the internet, and hackers are working together to crack them.
Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals.
What is a salt? It is a string that is added to your password before it is cryptographically hashed. What does this accomplish? It means that password lists cannot be pre-computed based on dictionary attacks or similar techniques.
This is an important factor in slowing down people trying to brute force passwords. It buys time and unfortunately the hashes published from LinkedIn did not contain a salt.
After removing duplicate hashes, SophosLabs has determined there are 5.8 million unique password hashes in the dump, or which 3.5 million have already been brute forced. That means over 60% of the stolen hashes are now publicly known.
We also did some additional testing of commonly used passwords that should never be used. We started with the list of passwords that the Conficker worm used to spread through Windows networks. All but two of the Conficker passwords were used by someone in the 6.5 million user password dump. The two passwords that weren't found were 'mypc123' and 'ihavenopass'.
Other passwords that we found in the dump include 'linkedin', 'linkedinpassword', 'p455w0rd' and 'redsox'. We even found passwords that suggest people should know better like 'sophos', 'mcafee', 'symantec', 'kaspersky', 'microsoft' and 'f-secure'.
It is critical that LinkedIn investigate this to determine if email addresses and other information was also taken by the thieves which could put the victims at additional risk from this attack.
It would seem sensible to suggest to all LinkedIn users that they change their passwords as soon as possible as a precautionary step. Of course, make sure that the password you use is unique (in other words, not used on any other websites), and hard to crack.
If you were using the same passwords on other websites - make sure to change them too. And never again use the same password on multiple websites.
How to change your LinkedIn password ?
1. Log into LinkedIn.
2. You should see your name in the top right hand corner of the webpage. Click on it, and you will open a drop-down menu. Choose "Settings".
3. Choose the option to change your password.
4. After entering your old password, you will have to enter your new (hopefully unique and hard-to-crack password) twice.
Don't delay. Do it now. And if there are any more updates from LinkedIn we will let you know.
Update: LinkedIn has now confirmed that users' passwords have been exposed.