LinkedIn confirmed Wednesday its security was breached, with experts estimating that more than 6 million passwords from LinkedIn’s 160 million users were affected. That’s based on files posted on a Russian hacker forum asking for help cracking the password encryption.
Also hit: the dating site eHarmony, which suffered a loss of some 1.5 million passwords. (The same user, "dwdm,"appears to have uploaded both the eHarmony and LinkedIn passwords in several batches, beginning Sunday.)
Degree of Damage
More than 60 percent of the LinkedIn passwords hackers accessed already have been cracked, according to security firm Sophos. It's very likely the remaining passwords have also been figured out, security researcher Chester Wisniewski wrote in a blog post.
LinkedIn has sent e-mails to everyone whose passwords were compromised, but you may want to change yours regardless. To change your password, log in to your LinkedIn account and click "Settings" from the drop-down menu that appears when you hover over your name, located on the top right of your screen. Click on the Change Password option (it will be just beneath your picture and e-mail address). Provide your old password, choose a new one and then click Change Password.
Rob Rachwald, director of security strategy at data security company Imperva, said he suspects many more than the reported 6.5 million LinkedIn accounts have been compromised. That's because the uploaded list of passwords released is missing "easy" passwords such as 123456, he wrote in a blog post
. "Most likely, the hacker has figured out the easy passwords and needs help with less common ones, so the hacker published only the more complicated ones."
Another suggestion more passwords have been compromised: The list contains only unique passwords. "In other words, the list doesn't reveal how many times a password was used by the consumers," Rachwald wrote, noting that in one recent hacking, the company learned that 20 percent of all users chose one of just 5,000 passwords.
Both LinkedIn and eHarmony—plus plenty of other companies that weren't involved—used the incident to remind users about password security.
How to Keep Safe
Experts say you make it very, very easy for hackers if you log in to LinkedIn with a Google or Yahoo account, and if you use the same password for all those sites.
Matt Cutts, the head of Google’s webspam team, warned Twitter followers of the security issues of sticking to one password for multiple sites. “Use the same password on LinkedIn & Gmail?” he Tweeted. “I’d change both immediately.”
He also suggested followers turn on two-factor authentication on Gmail, a.k.a., two-step verification. In addition to your username and password, you also enter a code that Google will send you via text or voice message upon signing in. (For instructions and a video about two-step verification, click here.)
Has your company suffered a password security breach? How did you alert customers?
Photo credit: liquidlibrary/Thinkstock