FAQ: LinkedIn breach: What members (and others) need to know

Tackling user questions on what's known so far on what happened to stolen LinkedIn data, and what can be done about it

By , Computerworld |  Security, LinkedIn, privacy

If your password was compromised, you will not be able to use it to log into your LinkedIn account. LinkedIn has said that it is contacting users whose password has been compromised with instructions on how to reset their password. The company has made clear that the email with instructions on how to reset the password will NOT contain any links. If you have not received an email yet, or if you are still able to access your account using your old password, it means that either your password was not compromised, or that LinkedIn doesn't it yet.

What measures had LinkedIn taken to protect member passwords? Embarrassingly little, or so it appears so far, researchers say.

The breached passwords were all masked using a basic hashing algorithm known as SHA-1. Though SHA-1 offers a degree of protection against password cracking attempts, the protocol is by no means foolproof. Numerous password cracking tools tools and tables that contain pre-computed hashes for billions of passwords are easily available. Almost anyone can use these tables to decrypt almost any SHA-1 hash and recover it in plain text in in a matter of minutes. That explains why nearly all of the hashed passwords have been cracked already.

How could LinkedIn have done to protect the passwords better? Security experts say the company should have used a method known as "salting" to make its hashed passwords a lot harder to crack. In the salting process, a string of totally random characters is appended to a plaintext password before it is hashed. A salted hash is considered to be magnitudes times harder to crack than a regular SHA-1 hash. Salting is considered today to be an almost basic security practice for protecting passwords.

How can users be sure that more data was not accessed? That information must come from LinkedIn. It's possible that only password data was stolen. It's equally possible that the intruders gained access to email addresses as well.

Similarly, it's possible that a lot more than 6.5 million passwords were compromised. LinkedIn has over 100 million members. It's possible that the hackers released the 6.5 million passwords to show they have the goods to anyone interested in purchasing the purloined data from them. LinkedIn can be a goldmine for identity thieves and phishers.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question