Alert: Linkedin Passwords Compromised

June 6, 2012

Background

On June 6, 2012, LinkedIn Security professionals suspected that the business-focused social network LinkedIn suffered a major breach of its password database. A file containing 6.5 million unique hashed passwords appeared in an online forum based in Russia. More than 200,000 of these passwords have reportedly been cracked so far.

Impact

There is a risk that confidential information could be stolen. There is also a risk that LinkedIn members who use the same password for other websites could be at risk of having other personal data stolen, including bank details

Local Observations

The file only contains passwords hashed using the SHA-1 algorithm and does not include user names or any other data, security researchers say. However, the breach is so serious that security professionals advise people to change their LinkedIn passwords immediately.

It's unknown how the file ended up on a public forum or exactly which site the passwords originate from; however, signs indicated this is indeed a breach of LinkedIn. Many of the cracked passwords that have been published to the forum have the common term “LinkedIn” in them.

It is also unclear whether the people who leaked the password file have more passwords that have not surfaced online. The file may, for example, be an attempt to crowd source the hacking of some of the more difficult passwords. It's also unknown if the suspected attackers have user names or other data tying these passwords to actual users.

UISO Recommendations

Because so many faculty, staff, and students of Loyola University Chicago use the LinkedIn social media site, we thought that it would be important to alert you to the situation. If you maintain a LinkedIn account, it is strongly suggested that you log in and change your password as soon as possible. To change your LinkedIn password, follow these steps:

1. Login to LinkedIn
2. Click on your name in the upper right corner and then click on the link for Settings
3. Click on the "Change" link next to Password
4. You will be prompted to enter your old password and create a new one. Here are some tips for secure password creation:
• Use at least 8 characters...the longer the better!
• Use at least 3 of the 4 character types, including lower-case alpha (abc), upper-case alpha (ABC), numbers (123), or special (%+>~)
• Do not use words that can be found in a dictionary
• Do not include your personal information, user ID, or the name of the website
5. Click on the Change Password button.

We highly recommend that you also change your password for any other website accounts that use the same e-mail address and password combination. In the aftermath following this incident, please also be weary of phishing attacks and spam that may aim to collect your username and password or install malware on your computer. Do not give your password to anyone and do not click on suspicious links in e-mail messages. For more information on strong passwords click here