|Websense: Around 6.4 Million LinkedIn Passwords Reported Stolen
IT News Online Staff
LinkedIn is investigating reports that approximately 6.4 million user passwords have been posted on the Web. While the breach is unconfirmed by LinkedIn, the company said on its Twitter feed that its team is currently looking into reports of stolen passwords.
Websense Security Labs has recommended LinkedIn users to change their passwords immediately to help prevent their passwords from falling into the wrong hands.
After retrieving the password files that are being distributed on forums in the .ru TLD space, it appears that the passwords are hashed. Websense said that based on samples it has seen; it has not been computationally difficult to translate them into clear text. The company's initial investigations reveal that a password of "linkedin" features heavily.
It is uncertain how the hackers retrieved the stolen passwords; however, the passwords that users are finding in the hashed files do appear to be real. Websense said it has identified the locations of several such password files and have classified those locations as Hacking.
Websense said the most potentially damaging combination would be using the corresponding username in conjunction with the stolen password. With this combination, one can imagine how a hacker may access an individual's LinkedIn account.
Once access to LinkedIn is obtained, or any social network for that matter, it could be possible to send direct messages to contacts within the network or to potentially auto-post on related social networks, thus harming the reputation of the individual or the business they may represent.
Now that hackers have a long list of potential passwords used, brute force attacks could become easier to conduct as a result of having this intelligence.
Even if these reports remain unconfirmed, Websense said it is definitely a good time to adopt sound practices around password security to help protect against malicious activity.
Carl Leonard, Senior Security Manager, Websense Security Labs, said, "The alleged hacking of 6.4 million LinkedIn passwords has again highlighted the need for people and organizations to think hard about data loss prevention. Websense Security Labs advises people and organizations to change passwords ASAP and make sure your passwords are different for every site. If immediate action isn't taken you might inadvertently hand over the keys to your professional reputation and invite malicious online activity to your network."
"The compromise of a LinkedIn account has three important ramifications. First, the key concern is the bad actors taking advantage of trust. If you are 'linked' to a trusted colleague you are more likely to click on a malicious link sent from them, which may open the door to targeted attacks and confidential data theft. Second, because many LinkedIn accounts are
tied to other social media services, such as Facebook or Twitter, posts with malicious links can also be propagated to a larger audience. And lastly, many of us are creatures of habit and have the same password for multiple accounts. The consequences of a breached password could be extrapolated across email, social media, banking accounts, and mobile phone data," said Leonard.
Websense Security Labs has offers offer the following recommendations:
- Change your password regularly.
- Ensure your password is suitably complex both in content and length; using a combination of numeric and alphabetic characters is a wise idea, as is mixing upper and lowercase characters with punctuation marks. Longer passwords are preferable.
- Do not use the same password across multiple services.
- If the website you are connecting to has the option of using the HTTPS protocol, as opposed to HTTP, make use of that.