All signs indicate that the data leak may be legitimate

Jun 6, 2012 13:20 GMT  ·  By
LinkedIn is analyzing reports according to which 6.5 million password hashes may have been leaked
   LinkedIn is analyzing reports according to which 6.5 million password hashes may have been leaked

A 271-megabyte file containing hashes was published on a Russian forum a couple of days ago. The data allegedly represents encrypted passwords that belong to LinkedIn customers.

According to a Norwegian publication, dangensit.no, a total of 6.5 million LinkedIn password hashes are in the file.

The source cites Per Thorsheim, an expert from IT solutions provider Evry, who reveals that there are some clues which indicate that the data could really come from LinkedIn.

Apparently, the individuals who made them available were seeking aid in decrypting them and they found what they were looking for since their helpers already reported cracking 300,000 of them.

The hashes (unsalted SHA-1) are not so difficult to decrypt, especially if the passwords are not strong.

F-Secure’s CRO Mikko Hypponen has even made public a few decrypted password samples from the leak.

“Some sample passwords from the alleged LinkedIn password leak: nathanlinkedin linkedintrouble hondalinkedin eaglelinkedin springlinkedin,” he wrote on Twitter.

“More sample passwords from the alleged LinkedIn password leak: san!francisco! salasanalinkedin wwwLinkedIn B1uesC1ues T1msux! M4nu3l,” he added.

A Twitter post made by Ange Albertini also reveals that the rumor may be true.

“My linkedin password's SHA1 is in the list, even though it was fully 'randomized' 16 chars, alphanum+symbols. I guess it's real then,” he wrote.

The good news is that the data dump that has been made available only contains the passwords and not the associated usernames. On the downside, if the claims turn out to be accurate, at least one group of cybercriminals (the ones that possess the usernames) may have access to most of the accounts.

LinkedIn representatives have stated that they’re currently looking into the reports.

In the meantime, until LinkedIn confirms or denies the claims, security experts are rushing to advise users to immediately change their passwords and be on the lookout for phishing campaigns that might leverage the incident.

We also advise you to change your passwords on all sites that share the same credentials for one very good reason. In case LinkedIn systems are vulnerable and the cybercriminals can access them, changing the LinkedIn password would be futile since they could easily obtain it again and again until the security hole is patched.

However, if you change the passwords that guard your other accounts, you can at least make sure that those are protected.