LinkedIn Logins Stolen, Change Your Password Now
If you use the networking site LinkedIn, change your password immediately. A hacker stole the details for 6.5 million logins and made them available online. In a statement, LinkedIn acknowledged the problem, and outlined how it would notify affected customers as part of its ongoing investigation into what happened. The plain text of passwords wasn’t revealed, but many people remain at risk, especially those who used the LinkedIn password on other sites. Lex Friedman at Macworld offers more details about the situation, plus
an unrelated problem with the LinkedIn iOS app scraping private data from calendar events.
You can check whether you password was pilfered by using FictiveKin’s LeakedIn.org, which will convert your plain-text password into the cryptographically scrambled form used in LinkedIn’s database and compare it against the leaked password list. However, we don’t recommend that you type in your plain-text password on another site! Instead, launch Terminal on your Mac, and type in the following command to convert your password into the format needed:
echo -n ‘plain-text password’ | openssl sha1
Now enter the resulting text, which will look something like 217e0428f0a8f78abe5066ae4f84a4a83a36b375
, at LeakedIn.org to see if your password was leaked.
(As an aside, you can also use this site to check whether LinkedIn users have used any particular password — one you’ve used in the past, perhaps — and if it has been compromised. That might give you a real-world sense of how secure certain passwords are.)
LinkedIn appears to have stored passwords only in a protected form, unlike so many previous login hijacks in which we discovered firms leave our critical data in plain-text form. But that doesn’t mean you’re not at risk. LinkedIn “hashes” the password, as we at TidBITS and most sites do, which creates a sort of cryptographic signature (the “hash”). Such hashes aren’t reversible — knowing the hash doesn’t get you the password — but they can be used in brute force attacks. An attacker can work through a list of common passwords and random short entries and compare them against the hash list to see which match. If your password was 12345678
or password
, your number is up.
To set a new password, log in to LinkedIn, click your name in the upper-right corner of the page, choose Settings from the menu that appears, click the Account tab in the lower-left of the page, and then click Change Password. We always recommend setting a strong password that’s a mix of letters and numbers (and punctuation if the site supports it), and using a password storage tool such as 1Password, Password Wallet (TidBITS members save 25 percent on either of those), or the free LastPass so you don’t have to remember or store
passwords in an insecure manner.
Equally important is to change your passwords for any other sites that you may have set up with the same login, because that information is now being shared by malevolent people who use it to try to access other sites’ accounts. I set up a LinkedIn account years ago and rarely use the site, so it’s likely that I re-used the same password somewhere else at the time — a big no-no. For every site that requires a login, you should have a unique password. I generate secure passwords and track them all using 1Password and recommend you do the
same.
It's puzzling, and disturbing, that there is no mention of this issue on the LinkedIn site. At least, not from LinkedIn itself.
Yeah I'm surprised they haven't just changed everyone's password already and made us login via a special e-mail link to change it or something.
I'm curious though, neither my nor my better half's passwords were stolen (I used the tip above to paste in a hashed version. I'm a bit surprised. How many of their users is 6.5 million, anyway?
Ah never mind, the blog post sez our passwords would've been reset and we couldn't login if they were among the affected ones. I changed mine anyway, but still, that's good to know--no need to use that other site to check, it sounds like...?
I've got over 500 items in my keychain. Now, I'll have to go through them all to see which ones were the same as Linkedin and change them. That's going to be fun.
I did finally get 1Password, sync to my Dropbox account, and use different passwords for all of my sites. However, some of those passwords are shared with my wife and I have to let her know if they were changed.
The Krebs on Security website indicates that LinkedIn will be sending emails to let folks know:
http://krebsonsecurity.com/2012/06/if-you-use-linkedin-change-your-password/