Password Breaches at LinkedIn, eHarmony

LinkedIn userIDs not compromised in leak of nearly 6.5 million (mostly now unencrypted) records.

Hackers recently attacked two popular Web sites -- LinkedIn and eHarmony -- and published user password information, software security researchers said.

A file from LinkedIn containing nearly 6.5 million hashed user passwords for the professional social networking site was posted on a Russian hacker message board earlier this week. Researchers at Sophos indicated that just hours later, 60 percent of the passwords had already been cracked and were presented in a plain text document online late yesterday evening.

The published password list did not contain user names, but as a precaution, LinkedIn is denying access to affected accounts. The company notified users and suggested they immediately change their passwords. Vicente Silveira, director at LinkedIn, said that the company has already taken steps to avoid a similar situation in the future. 

"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," wrote Silveira, in a blog post.

It remained unclear why LinkedIn's recent security enhancements, as noted by Silveira, didn't prevent the breach, which Rapid7 security expert Marcus Carey told Computerworld could have happened sometime in the last week. Carey added that, based on evidence he had gathered, the hackers responsible for the breach may still have access to LinkedIn's database.

News also surfaced late yesterday evening that an undisclosed number of passwords for the online dating site eHarmony had been leaked. The company discovered the problem after checking its own databases following the LinkedIn breach.

"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected. We are continuing to investigate but would like to provide the following actions we are taking to protect our members," the company stated, in an announcement on its Web site.

The announcement indicated that eHarmony had taken similar steps as LinkedIn and has reset the passwords of affected members.

What makes hacks of social networking sites so alarming is the amount of personal information users store on them, said ESET security researcher Cameron Camp.

"The difference with this hack, as opposed to many others, is that people put their real information about themselves -- their professional information -- on the site, not just what party they plan on attending, or which games they are playing, which you might see on other networks like Facebook," wrote Camp, in a blog post.

Because of the constant interaction on social networking sites, users tend to be much more honest and in-depth when sharing information, compared with other online activities. This honesty makes databases like LinkedIn and eHarmony a goldmine of useable information, Camp said.

Although not all users of eHarmony and LinkedIn are affected, members of the two sites would be well advised to change their passwords immediately.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Must Read Articles