Many reports have come out today that over 6.5 million LinkedIn accounts have been compromised. If you happen to have a LinkedIn account, it would be a good idea to change your password as soon as possible to avoid the possibility of identity theft.
If you use the same password on other services, we suggest changing it on those as well. LinkedIn’s settings can be a bit confusing, so here’s what to do:
Go to linkedin.com.
Click on your name in the top right corner and select Settings.
Click Change next to Password.
Enter your current password and create a new one.
6.5 million LinkedIn passwords reportedly stolen, posted online
If you haven’t changed your LinkedIn password in the past few months, now would be a very good time to do so
Details are murky, but Norwegian computer site DagensIT.no reports that 6.5 million LinkedIn passwords were recently posted to a Russian hacker site. Quoting Norwegian consultant Per Thorsheim, the site says, “Those who posted [the passwords] wanted help to crack the codes. … Unfortunately, they are in a format that makes it relatively easy to break them.”
It’s important to realize that the reports state only the hashed passwords were posted. Email addresses (LinkedIn uses email addresses as log-on IDs) and other information were not posted.
The passwords were encrypted using an unsalted SHA-1 hashing algorithm. That means it’s easy to verify if a particular password is on the list; just put your password through the SHA-1 algorithm, and check what comes out to see if the hashed password is one of the 6.5 million. But there’s no known way to go from hashed password to the original — it’s a one-way encryption.
The implication, though, is that a big dictionary coupled with some inspired guessing can turn up many of the passwords.
While the ancillary details — particularly email addresses — aren’t posted, there’s no way to tell at this point if the password purloiners also have that information. That’s likely to be the reason why they were seeking information on cracking the passwords.
Peter Kruse confirms on Twitter that he changed his LinkedIn password “7 or 8 months ago,” and the hashed password on the list matched his old password. That’s an indication — but not proof-positive — that the leaked list is many months old.
Now would be a very good time to change your LinkedIn password.
And if you reused that password on any other accounts — especially financial accounts or email accounts — you better get those changed, too.