June 7, 2012
LinkedIn And eHarmony Passwords Leaked
Michael Harper for redOrbit.com
The online community was reminded yesterday of the importance of securing their passwords as Russian hackers began sharing data packets containing some 6.5 million LinkedIn passwords.
Some reports are claiming the same hackers are behind both breaches.
Online security and privacy are quickly becoming very important issues as attacks and breaches such as these occur with greater frequency. A senior researcher for security firm Cloudmark told Reuters that any hackers with eHarmony and LinkedIn credentials could potentially do some great damage.
“When somebody has the keys to your business and personal kingdom, that gives them all sorts of powerful information,” she said. “They might be able to use it for years.”
The passwords for both online sites began to be dumped on the internet earlier this week on hacker forums dedicated to password cracking. These passwords were converted into hashes using the SHA-1 unsalted function. Without the salt, these cryptographic passwords are more easily deciphered. ArsTechnica has reported that the list of passwords almost certainly belongs to LinkedIn, as several readers and security experts have said the passwords on the list appear to be unique to professional networking site.
"It's pretty obvious that whoever the bad guy was cracked the easy ones and then posted these, saying, 'These are the ones I can't crack,'" said Rick Redman of Kore Logic Security. Since the passwords have been compromised, LinkedIn has reported they will notify any affected users as well as implement extra security measures, such as salting their password database.
So far, it seems the eHarmony leaks are coming from a smaller, second data file which was leaked on the same site as the LinkedIn data. This smaller list is said to contain nearly 1.5 million MD5 hashes and so far appear to be specific to eHarmony, containing such dictionary words as “harmony” or “eharmony.”
According to Ars Technica, once these files were distributed on the Russian hacker forums, password crackers were able to sort out millions of passwords in a matter of hours. While the passwords in question do not contain login information or email addresses, security officials are warning that all passwords should be changed, especially if these passwords are used elsewhere on the internet.
However, LinkedIn users should continue to monitor their account, lest their new passwords become compromised as well.
“While LinkedIn is investigating the breach, the attackers may still have access to the system,” said Boston security researcher Marcus Carey, according to Reuters. “If the attackers are still entrenched in the network, then users who have already changed their passwords may have to do so a second time.”
For tips on how to change your password and pick a secure password, watch this video tutorial from Sophos.