Change your LinkedIn password right now
6.5 million usernames and passwords become crowdsourced decrypting exercise
If you are or have ever been a member of LinkedIn, go to the site right now and change your password.
Norwegian IT site Dagens IT has reported that someone posted 6.5 million LinkedIn usernames and passwords to a Russian hacker site.
LinkedIn Tweeted that it has not confirmed the breach, but is continuing to investigate.
Security researcher Per Thorsheim confirmed at least some of the passwords are real, as have a number of other alarmed users via Twitter.
The story was picked up by TheNextWeb and BusinessInsider, whose story on the breach is posted as one of the top stories of the day on user login pages. BusinessInsider also includes a story on how to change your LinkedIn password, as does ComputerworldUK.
The passwords are encrypted using the 160-bit Secure Hash Algorithm (SHA-1), which is relatively secure, but only if the hashes are "salted" with random bits that add characters to the hash, making it long enough to be impractical to crack using dictionary or brute-force attacks because they would take too long. Even using rainbow tables is slow if the salt is 128 bits. LinkedIn didn't add any salt, so all 6.5 million(ish, the real number hasn't been confirmed) are in danger of being cracked pretty quickly. Many have been or are in the process of being decrypted by anyone who has searched Twitter enough to find likes to the correct files.
Don't let one password failure turn into a chain reaction
While it's possible to see the breach of a social networking site as "bonus networking," as one Tweet put it (and funnier that way), previous breaches at HotMail, Twitter and other services demonstrate that most people use the same password for many sites.
If that's you, having your LinkedIn password posted and not doing anything about it could get you hacked on any number of other sites as well.
Do yourself a favor: Go change your password on LinkedIn, then check to see how many other sites you use that password in.
You can always recover them if something in your password vault gets fubared, but you'll never get back the money or data you lose if someone is able to roll up all your password-protected accounts using one compromised password from LinkedIn.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.