Earlier today, security experts have started to warn LinkedIn users that LinkedIn password hashes (an encrypted version of the user password) have been posted on a hacking forum in Russia. The post was asking for help decrypting those hashes, so that they can be turned into usable passwords – hashes usually cannot be used as-is to breach a site. At the moment, LinkedIn says that “it is investigating” the matter, but has not confirmed a breach. (update 6/7: LinkedIn has confirmed it)
Additionally, it seems that LinkedIn did not use a technique called “Salt” on its password encryption. This would consist in adding a random string to the password before encrypting it, thus making any reverse-engineering of the encryption much harder as it is not possible for hackers to compare results obtained with different passwords decryption attempts.
Finally, it’s clear that if hackers have been able to access the encrypted passwords, they may also have obtained your email and other information that can be used subsequently to send scams, fake password reset attempts etc… In the end, we won’t know the full extent of the breach, so if you use Linkedin, it would be safer to update/change your password as soon as possible. Then be careful for suspicious emails seemingly coming from LinkedIn.
If you are using the same password on other sites, you may consider the fact that changing your password on LinkedIn only will not protect other sites. They would all need to be changed. And that holds true if you’re an eHarmony customer as well, as they got hacked too. Good luck. [Dagensit (Norwegian) via Informationweek]
Next Story: Diablo 3 Patch 1.0.3 gets detailed