A Russian web user claimes to have hacked LinkedIn, uploading 6,458,020 encrypted passwords (without user names) as proof.
The slight glimmer of hope, is that the passwords are encrypted with
the SHA-1 cryptographic hash function, used in SSL and TLS and generally
considered to be relatively secure, but not foolproof.
Unfortunately though, it seems that the passwords are stored as
"unsalted hashes" which makes it easier to decipher them using
pre-computed data. Simply put, this means that a web hacker with
malicious intent might be able to crack the majority of passwords in a
relatively short period of time.
A few news outlets have highlighted the possibility that the password
collection is not genuine, however some credible sources on Twitter and
from across the web only add credibility to the story (one article I
read, the user had found his password on the list).
A Finnish Security Firm (Cert-Fi) has posted a warning about the
incident, stating that it is "likely" that whoever hacked linkedIN
possesses the accompanying user names as well.
We searched the released passwords to look for our password (having
hashed it), and thankfully we are not on there! The release of passwords
only accounts for about 5% of users - so chances are you are not
affected, but if you want to be sure, and you are a Linked In user, we
strongly recommend you change your password right now.
Furthermore, if you used that password on any other online service, we recommend you change those passwords as well!
No comments:
Post a Comment