Linkedin : 6 millions of passwords stolen from the social network

A file containing more than 6 millions of encrypted Linkedin account passwords leaked on the Internet. The social network has recognized an intrusion on its servers, without giving precise figures. But hackers are already exploiting this data by sending fake phishing emails.

Linkedin has confirmed that it had indeed been the victim of an intrusion on its servers during which encrypted user account passwords were stolen. Earlier yesterday, a file containing nearly 6,5 million Linkedin passwords had been posted on a Russian hacker site.

Several vendors of security solutions, dont Sophos, indicated that this file did contain passwords of members of the professional social network. If the file did not contain the email addresses associated with these passwords, specialists believe that it is quite likely that hackers have them. Sophos then revealed that 60 % passwords would have already been cracked due to the fact that they were not « salty ». Password salting is a technique of adding a line of random characters at encryption time to make a dictionary or brute force attack impossible.

L'éditeur de solutions de sécurité Sophos a analysé le phénomène et explique sur son site comment modifier le mot de passe d'un compte Linkedin. © Sophos

In his latest blog post, Linkedin does not give a precise figure as to the number of victims but assured that the passwords of compromised user accounts have been reset and that the hash and salt technique is now applied..

Linkedin : phishing attack in progress

Issue, hackers are already exploiting this breach to send fake phishing messages to members of the social network. Victims receive a fake Linkedin email asking them to click on a link to confirm their email address. But the link in question leads them straight to sites selling pharmaceutical products such as Viagra.

The technique can also be used to spread malware. The hackers acted quickly in order to immediately take advantage of the media effect caused by the announcement of this security breach and by playing on the confusion.. Because Linkedin specifies that it sends an e-mail to members whose passwords have been stolen but that it contains no link. It is only once the user has followed the first instructions that he receives a second message containing a link to reset his password..

Futura-Sciences questioned Linkedin France to try to find out how many French members could be concerned. Under the pretext that this information is managed by the management of the firm in the United States, we were redirected to the company's official Twitter account. Linkedin claims 150 million members (FEBRUARY 2012) of which more than 3 million for France (November 2011). When in doubt and as a precaution, we recommend that holders of an account on this social network change their password and above all not to use the same one for different services.

 

source http://www.futura-sciences.com