Heads-Up for LinkedIn Users

If you have a LinkedIn account, stop what you’re doing and change your LinkedIn password immediately. I’m not kidding–just do it. Once you’re logged in, click on your name near the upper-right corner, click Settings from the menu, click the Account tab near the lower-left corner, and click Change password.

Now that you’ve changed your LinkedIn password, think about all of the other web sites where you have accounts–did you use the same (now-probably-hacked) password on any of those? If so, go change those, too (and don’t use the same password this time). If you use the same credentials across multiple sites, all an attacker needs is to crack one of them, and then (in principle) they own any other account with the same username and password.

Done? Great! So here’s what’s going on:

The social networking website LinkedIn is investigating claims that more than 6 million passwords were stolen and uploaded to a Russian-language web forum today.

That was yesterday, June 6. To be clear, it was actually cryptographic hashes of the passwords that were stolen–not the plain-text passwords themselves–but LinkedIn was using an insecure technique to generate the hashes (unsalted SHA-1). I won’t write here about why that’s so easy to crack–Steve Gibson had a good discussion about this in his Security Now! podcast, episode 356 (the transcript is not up on that page yet as of this writing, but he should have it posted soon). For some good guidance on choosing passwords that are resistant to the kind of attacks (“rainbow tables“) that are effective against unsalted hashing schemes, see Steve’s Password Haystacks page.

By Jeff Garretson

Husband, father. Data Engineer. Explorer of Powerful Ideas. Faith and Reason integrated.