June 06, 2012, 12:11 PM — If you are or have ever been a member of LinkedIn, go to the site right now and change your password.
Norwegian IT site Dagens IT has reported that someone posted 6.5 million LinkedIn usernames and passwords to a Russian hacker site.
LinkedIn Tweeted that it has not confirmed the breach, but is continuing to investigate.
Security researcher Per Thorsheim confirmed at least some of the passwords are real, as have a number of other alarmed users via Twitter.
The story was picked up by TheNextWeb and BusinessInsider, whose story on the breach is posted as one of the top stories of the day on user login pages. BusinessInsider also includes a story on how to change your LinkedIn password, as does ComputerworldUK.
The passwords are encrypted using the 160-bit Secure Hash Algorithm (SHA-1), which is relatively secure, but only if the hashes are "salted" with random bits that add characters to the hash, making it long enough to be impractical to crack using dictionary or brute-force attacks because they would take too long. Even using rainbow tables is slow if the salt is 128 bits. LinkedIn didn't add any salt, so all 6.5 million(ish, the real number hasn't been confirmed) are in danger of being cracked pretty quickly. Many have been or are in the process of being decrypted by anyone who has searched Twitter enough to find likes to the correct files.
Don't let one password failure turn into a chain reaction
While it's possible to see the breach of a social networking site as "bonus networking," as one Tweet put it (and funnier that way), previous breaches at HotMail, Twitter and other services demonstrate that most people use the same password for many sites.
If that's you, having your LinkedIn password posted and not doing anything about it could get you hacked on any number of other sites as well.