We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

6.5M LinkedIn Passwords Posted Online After Apparent Hack

The breach is so serious that security professionals are advising people to change their LinkedIn passwords immediately.

Security professionals suspect that the business-focused social network LinkedIn has suffered a major breach of its password database.

Recently, a file containing 6.5 million unique hashed passwords appeared in an online forum based in Russia. More than 200,000 of these passwords have reportedly been cracked so far. The file only contains passwords hashed using the SHA-1 algorithm and does not include user names or any other data, security researchers say. However, the breach is so serious that security professionals are advising people to change their LinkedIn passwords immediately.

See also: How to change a LinkedIn password

It's unknown at this point how the file ended up on a public forum or exactly which site the passwords originate from; however, signs indicate this is indeed a breach of LinkedIn. Many of the cracked passwords that have been published to the forum have the common term “LinkedIn” in them, Per Thorsheim a security advisor based in Norway, told PCWorld. While terms such as Facebook, Twitter and other common online networks are almost nonexistent. Thorsheim was one of the first security researchers to discover the leaked password file.

One common way people create passwords for different websites is to add the name of the site into the passphrase, says Thorsheim. So some people may use the password “1234Facebook” for the world's largest social network, and then “1234LinkedIn” for LinkedIn and so on. With so many occurrences of the term LinkedIn, Thorsheim says, it seems likely these are in fact LinkedIn passwords.

Thorsheim also said he and at least 12 other sources he trusts within the security community have found hashes of their own LinkedIn passwords in the file.

After hearing Thorsheim's story and using a copy of the leaked password file, I also found the hash for my own LinkedIn password after running my passphrase through an SHA-1 hash generator. However, doing the same operation for the LinkedIn passwords of two other PCWorld writers yielded no results.

What's a Hash?

An SHA-1 hash is an algorithm that converts your password into a unique set of numbers and letters. If your password is “LinkedIn1234,” for example, the SHA-1 hex output should always be “abf26a4849e5d97882fcdce5757ae6028281192a.” As you can see that is problematic since if you know the password is hashed with SHA-1, you can quickly uncover some of the more basic passwords that people commonly use. Often, random bits -- known as salting -- are added to a hash so that the output is harder to guess. But that does not appear to be the case with these leaked passwords.

What's also troubling security researchers is that the password database contains entirely unique passwords. It's unclear whether the people who leaked the password file have more passwords that have not surfaced online. The file may, for example, be an attempt to crowd source the hacking of some of the more difficult passwords. It's also unknown if the suspected attackers have user names or other data tying these passwords to actual users.

If you are a LinkedIn user, security professionals are advising you to change your password immediately as a precaution. Since 6.5 million unsalted hashes have been exposed it does not matter how long or difficult to guess your password is, Thorsheim says. Anyone whose password has been exposed is at risk. You can change your LinkedIn password by following this link and clicking the “change” link next to “Password” just below your profile photo.

This has been a tough week for LinkedIn and security. The Next Web recently reported that an opt-in calendar feature in LinkedIn's Android and iOS mobile apps was sending user data back to LinkedIn servers as plain text. LinkedIn responded by saying it sends all data back to its servers via an encrypted connection and never saves any user data.

LinkedIn has yet to respond to PCWorld's request for comment. But a Twitter account called LinkedIn News says the company is looking into reports of stolen passwords.

The business-focused social network had 161 million users worldwide as of March 31.

Connect with Ian Paul (@ianpaul) on Twitter and Google+, and with Today@PCWorld on Twitter for the latest tech news and analysis.


IDG UK Sites

Best iPad Air 2 and iPad mini 3 deals: Find the best contract for your new iPad

IDG UK Sites

The iPhone is doomed. Doomed to be marginally less successful than a very successful thing.

IDG UK Sites

How to prototype native mobile apps without writing code

IDG UK Sites

How to prepare for and update to OS X Yosemite: Get your Mac ready to download & install Apple's...