Millions of LinkedIn passwords reportedly leaked online

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://news.cnet.com/8301-1009_3-57448079-83/millions-of-linkedin-passwords-reportedly-leaked-online/

A hacker says he's posted 6.5 million LinkedIn passwords on the Web --
hot on the heels of security researchers' warnings about privacy
issues with LinkedIn's iOS app.

LinkedIn users could be facing yet another security problem.

A user in a Russian forum says that he has hacked and uploaded almost
6.5 million LinkedIn passwords, according to The Verge. Though his
claim has yet to be confirmed, Twitter users are already reporting
that they've found their hashed LinkedIn passwords on the list,
security expert Per Thorsheim said.

LinkedIn revealed through its own tweet that it's looking into reports
of stolen passwords, and it advised users to stay tuned for more
information.

Many of the hashes include the word "linkedin," which The Verge
believes lends credibility to the reports.

LinkedIn passwords are encrypted using an algorithm known as SHA-1,
which is considered very secure. Complex passwords will likely take
some time to decrypt, but simple ones may be at risk.

Sophos security expert Graham Cluley is advising LinkedIn users to
change their passwords as soon as possible, at least as a precaution.
If the report is true, then hackers are undoubtedly working hard to
decrypt the hashed, or unsalted, passwords.

"Although the data which has been released so far does not include
associated email addresses, it is reasonable to assume that such
information may be in the hands of the criminals," Cluley added.

The report of the leaked passwords comes hard on the heels of word
from security researchers that LinkedIn's iOS app is collecting
information from calendar entries -- including passwords -- and
transmitting it back to the company's servers without users'
knowledge.

In response to concerns over this collection of data, LinkedIn
yesterday tried to explain how and why it captures this information.

The company acknowledged that it picks up information from the
Calendar app on your iOS device to try to sync any appointments listed
with fellow LinkedIn users. The feature is opt-in, so users of the
LinkedIn IOS app can turn off the ability to "Add Calendar" in the
Settings screen.

The details sent to LinkedIn's server include the e-mail addresses of
the people you meet with, the meeting subject, the location, and any
meeting notes. The calendar data is sent securely using SSL encryption
and isn't shared or stored, LinkedIn added.

But in a concession to concerned users, the company has promised two
tweaks to the feature. It will no longer pick up meeting notes from
your calendar. And it will add a "learn more" link to explain how your
calendar data is being used.

LinkedIn did not address the question of whether passwords are being
collected along with the meeting information.

To change your LinkedIn password, log onto your account. Click on your
name in the upper right corner and then click on the link for
Settings. In the Settings section, click on the

Change link next to Password. You'll be prompted to to enter your old
password and then create a new one. Aim to pick a complex password
that's not easy to decipher. Then click on the Change Password button.

CNET contacted LinkedIn for further details and will update the story
when we get more information.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.