LONDON - Business social network LinkedIn said Wednesday that some of its users' passwords have been stolen and leaked onto the Internet.

LinkedIn Corp. did not say how many of the more than six million passwords that were distributed online corresponded to LinkedIn accounts. In a blog post Wednesday, the company said it was continuing to investigate.

Graham Cluley, a consultant with U.K. Web security company Sophos, recommended that LinkedIn users change their passwords immediately.

LinkedIn has a lot of information on its more than 160 million members, including potentially confidential information related to jobs being sought. Companies, recruiting services and others have accounts alongside individuals who post resumes and other professional information.

There's added concern that many people use the same password on multiple websites, so whoever stole the data could use the information to access Gmail, Amazon, PayPal and other accounts, Cluley said.

Before confirming the breach, LinkedIn issued security tips as a precautionary measure. The company said users should change passwords at least every few months and avoid using the same ones on multiple sites.

LinkedIn also had suggestions for making passwords stronger, including avoiding passwords that match words in a dictionary. One way is to think of a meaningful phrase or song and create a password using the first letter of each word.

Cluley said hackers are working together to break the encryption on the passwords.

"All that's been released so far is a list of passwords and we don't know if the people who released that list also have the related email addresses," he said. "But we have to assume they do. And with that combination, they can begin to commit crimes."

It wasn't known who was behind such an attack.

LinkedIn's blog post had few details about what happened. It said compromised passwords have been deactivated, and members with affected accounts will be sent emails with further instructions.

While the passwords appear to be encrypted, security researcher Marcus Carey warned that users should not take solace from such security measures.

"If a website has been breached, it doesn't matter what encryption they're using because the attacker at that point controls a lot of the authentication," said Carey, who works at security-risk assessment firm Rapid7. "It's 'game over' once the site is compromised."

Cluley warned that LinkedIn users should be careful about malicious email generated around the incident. The fear is that people, after hearing about the incident, would be tricked into clicking on links in those emails. Instead of getting to the real LinkedIn site to change a password, it would go to a scammer, who can then collect the information and use it for criminal activities.

LinkedIn said its emails will not include any links.

Shares of LinkedIn, which is based in Mountain View, California, gained 8 cents to close Wednesday at $93.08.

http://nakedsecurity.sophos.com/2012/06/06/millions-of-linkedin-passwords-reportedly-leaked-take-action-now/

Although not yet confirmed by the business-networking website, it is being widely speculated that over six million passwords belonging to LinkedIn users have been compromised.

A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the internet, and hackers are working together to crack them.

Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals.

Investigations by Sophos researchers have confirmed that the file does contain, at least in part, LinkedIn passwords.

As such, it would seem sensible to suggest to all LinkedIn users that they change their passwords as soon as possible as a precautionary step. Of course, make sure that the password you use is unique (in other words, not used on any other websites), and hard to crack.

If you were using the same passwords on other websites - make sure to change them too. And never again use the same password on multiple websites.

How to change your LinkedIn password
1. Log into LinkedIn.
2. You should see your name in the top right hand corner of the webpage. Click on it, and you will open a drop-down menu. Choose "Settings".

3. Choose the option to change your password.

4. After entering your old password, you will have to enter your new (hopefully unique and hard-to-crack password) twice.

Don't delay. Do it now. And if there are any more updates from LinkedIn we will let you know.

The Arbiter: Check the status of your LinkedIn password on the webpage link below. The site checks your hashed password against the leaked passwords hashes and informs you if it had been compromised. If it has, change your password immediately

[size=14pt]http://leakedin.org/[/size]

The site is secure. It was made by a respected programmer to help novices with password phobias check their password safety. If you're paranoid, just change your password without checking.

The Arbiter: By all means please change your passwords. But recall i said [size=16pt]hashed[/size] passwords. Its really simple to hash your password and pop it in to check. I dont give advice without due diligence and i check and double check my facts to verify correctness and authenticity. I take web security seriously.

By the ways every1, secure passwords should look like this [size=14pt]as#1vb@63ut=&sg%[/size] in any combination of letters, numbers and special characters of your choice and should be at least 15 characters in length.

The Arbiter: Check the status of your LinkedIn password on the webpage link below. The site checks your hashed password against the leaked passwords hashes and informs you if it had been compromised. If it has, change your password immediately

[size=14pt]http://leakedin.org/[/size]

The site is secure. It was made by a respected programmer to help novices with password phobias check their password safety. If you're paranoid, just change your password without checking.

Slyr0x: Out of sheer curiosity, I tried this http://leakedin.org . .Although, I knew it was quite a stupid move considering the fact that the owner of the site could actually be storing users pwds. .but then I have nothing to lose as I don't re-use my passwords . .

frosbel: c
But why should they, when it is as simple as loggin on to your social media site and changing the password yourself.

Why are you so keen to make them verify their passwords on your link , I work as a senior IT professional and this is just not on !!!

denzel2009:

Slyrox, are they storing password in clear texts? LinkedIn

The Arbiter: Check the status of your LinkedIn password on the webpage link below. The site checks your hashed password against the leaked passwords hashes and informs you if it had been compromised. If it has, change your password immediately

[size=14pt]http://leakedin.org/[/size]

The site is secure. It was made by a respected programmer to help novices with password phobias check their password safety. If you're paranoid, just change your password without checking.

denzel2009:

Slyrox, are they storing password in clear texts? LinkedIn

Piyke:

This is a phishing site. Be warned

The Arbiter:
The password hashes were unsalted SHA-1 hashes. SHA-1 was proven weak back in 2005, and unsalted hashes are especially weak.

Slyr0x:

Nah. .The passwords are stored as unsalted SHA-1 hashes. SHA-1 is a secure algorithm, but is not foolproof. Even so, unless your password is a dictionary word (i.e. password,qwerty,etc), or very simple, it will take some time to crack.

Slyr0x: It would take a desktop PC About 97 billion years to crack my password

Slyr0x: It would take a desktop PC About 97 billion years to crack my password

denzel2009:

Ok I wouldn't bother cracking your password, I would just hijack your session

The Arbiter: Wow Slyr0x. You're definitely no pushover.

I recommended the site to a few of my friends after their email accounts were hacked. It enabled them to see the folly of their password habits.

I hope other people will give it a try and be more educated about passwords.

Piyke:

You know if its actually ur real password you put there, it now compromised as the administrator or whoever can collect what u typed in

The Arbiter: By all means please change your passwords. But recall i said [size=16pt]hashed[/size] passwords. Its really simple to hash your password and pop it in to check. I dont give advice without due diligence and i check and double check my facts to verify correctness and authenticity. I take web security seriously.

By the ways every1, secure passwords should look like this [size=14pt]as#1vb@63ut=&sg%[/size] in any combination of letters, numbers and special characters of your choice and should be at least 15 characters in length.

Slyr0x:

Lmaooo. .go ahead o0. .As long as it doesn't affect the amount in my account




Most of my passwords follow this trend esp. for emails > Myn@meisslyrox@ndmyuniquenumberis7 (My name is slyrox & my unique number is 7). .
Then for cPanels and stuffs like that > TXluQG1laXNzbHlyb3hAbmRteXVuaXF1ZW51bWJlcmlzNw== (I use this site to base64 encode my pwds. .

The Irony there is the passwords eventually get too complicated especially if it's not an account I use frequently and also 'cos I don't reuse my passwords. For accounts like these, I often resort to using the "Forgot My Password" feature.

denzel2009:

I'm of the opinion that passwords shouldn't be more than 8 characters. Just anything to avoid being written down as it invalidates the reason for having a password.

You be security expert now, don't teach people bad things

Slyr0x:

lool. . .but then there are some things you don't have to write down. .

Look at this

My name is denzel and I am 32 yrs old. .

Making it a password, it becomes MyNameIsDenzelAndIam32yrsOld. .Simple. .

But then you could just introduce some characters like replacing all a's with @ i.e.

MyN@meIsDenzel@ndI@m32yrsOld. .

http://howsecureismypassword.net/ says it would take a desktop PC About 8 undecillion years to crack your password. .


You now have a secure and easy to remember password . .

Check the status of your LinkedIn password on the webpage link below. The site checks your hashed password against the leaked passwords hashes and informs you if it had been compromised. If it has, change your password immediately

http://leakedin.org/

The site is secure. It was made by a respected programmer to help novices with password phobias check their password safety. If you're paranoid, just change your password without checking.