IE 11 is not supported. For an optimal experience visit our site on another browser.

LinkedIn confirms password leak, eHarmony has one, too 

LinkedIn
LinkedIn

With lawmakers in Washington D.C. expressing concern, LinkedIn confirmed Wednesday afternoon via its blog that user passwords had been compromised. The business networking site, however, did not address whether the number of passwords stolen equaled the more than 6.5 million reported earlier in the day. Meanwhile, 1.5 million passwords belonging to users of online dating site eHarmony may also have been stolen, perhaps by the same hacker who attacked LinkedIn.  

ArsTechnica had a security expert crack some of the passwords, and he made the linkage between the two hacks.

"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected," said eHarmony on a blog Wednesday. "We are continuing to investigate but would like to provide the following actions we are taking to protect our members."  Those actions include re-setting "affected" members' passwords, and offering tips on how to create a more secure password.

Both LinkedIn and security experts advised Wednesday that LinkedIn users change their passwords as soon as possible. 

LinkedIn director Vicente Silveria wrote

We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.

Earlier in the day, Sophos security firm reported that the files posted on a Russian hacker site do contain LinkedIn passwords. "A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the internet, and hackers are working together to crack them," wrote Graham Cluley, Sophos senior technology consultant. "Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals," 

All LinkedIn members should take precautionary measures and change their passwords immediately, Cluley advised, and provided the following instructions:

Log into LinkedIn.You should see your name in the top right hand corner of the webpage. Click on it, and you will open a drop-down menu. Choose "Settings".Choose the option to change your password.After entering your old password, you will have to enter your new (hopefully unique and hard-to-crack password) twice.

If you access LinkedIn via your Facebook account, take the extra precaution of changing your Facebook password as well. Further, if your LinkedIn password is the same one you use for any other accounts, change those as well -- hackers will often try out a password on several accounts, since so many people are in the (bad) habit of using just one. 

Both Sen. Patrick Leahy D.-Vt. and Rep. Mary Bono Mack R-Calif. cited the incident as evidence that Congress  should pass data-security legislation, The Hill reports, noting that both lawmakers have sponsored data-security bills in the past.  

In a statement provided to The Hill, Sen. Patrick Leahy said, "Reports of another major data breach should give pause to American consumers who, now more than ever, share sensitive personal information in their online transactions and networking."  

According to Sen. Bono, ""Nothing threatens e-commerce more than a lack of consumer confidence, and today a lot of people are becoming very antsy about providing their personal information online,” she said in a statement."

News of the possible LinkedIn password leak comes less than 24 hours after mobile security researchers revealed that the LinkedIn mobile app is able to access subscriber meeting notes.

 "The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes," writes Skycure Security researcher Adi Sharabani on the company's blog. "If you have decided to opt-in to this calendar feature in iPhone, LinkedIn will automatically receive your calendar entries and will continue doing so every-time you open your LinkedIn app."

In a blog post responding to the mobile app flap, LinkedIn mobile product head Joff Redfern emphasizes that user information used to sync the calendar app "is sent securely over SSL and we never share or store your calendar information" and that LinkedIn does not "under any circumstances access your calendar data unless you have explicitly opted in to sync your calendar."

In response to the Skycure Security findings, Redfern added that LinkedIn "will improve" the following:

These improvements are live on Android now and have been submitted to the Apple store and will be available shortly.There will be a new “learn more” link to provide more information about how your calendar data is being used.We will no longer send data from the meeting notes section of your calendar event.


Helen A.S. Popkin goes blah blah blah about Internet privacy, then asks you to join her Twitter and/or Facebook. Also, Google+. Because that's how she rolls.