LinkedIn, eHarmony User Passwords Compromised
Hackers recently raided the LinkedIn and eHarmony Web sites and published user password information, software security researchers said this week.
A file containing 6,458,020 hashed user passwords for the professional social networking site LinkedIn was released on a Russian hacker message board earlier this week. Researchers at Sophos indicated that, by yesterday afternoon, 60 percent of the passwords had already been cracked and were presented in a plain text document online late yesterday evening.
The published password lists did not contain user names. However, LinkedIn announced that it has denied access to accounts affected. The company sent e-mails prompting users to immediately change their passwords. Vicente Silveira, director at LinkedIn, said that the company has already taken steps to avoid a similar situation like this one in the future.
"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," wrote Silveira, in a blog post.
It remained unclear why LinkedIn's recent security enhancements, as noted by Silveira, were unable to stop the breach, which Rapid7 security expert Marcus Carey told Computerworld could have happened sometime in the last week. Carey added that, based on evidence he had gathered, the hackers responsible for the breach may still have access to LinkedIn's database.
News also surfaced late yesterday evening that an undisclosed amount of passwords for the online dating site eHarmony were leaked. The company discovered this security problem after checking its own databases following the LinkedIn leak.
"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected. We are continuing to investigate but would like to provide the following actions we are taking to protect our members," the company stated, in an announcement on its Web site.
The announcement indicated that eHarmony had taken similar steps as LinkedIn and has reset the affected members' passwords.
What makes hacks of social networking sites so alarming is the amount of personal information users store on them, said ESET security researcher Cameron Camp.
"The difference with this hack, as opposed to many others, is that people put their real information about themselves -- their professional information -- on the site, not just what party they plan on attending, or which games they are playing, which you might see on other networks like Facebook," wrote Camp, in a blog post.
Because of the constant interaction on social networking sites, users tend to be much more honest and in-depth when sharing information, compared with other online activities. This honesty makes databases like LinkedIn and eHarmony a goldmine of useable information, Camp said.
While not all users of eHarmony and LinkedIn are affected, it's a good idea for all members to change their passwords immediately.