LinkedIn confirms stolen passwords
Contributed by: Email on 06/08/2012 09:24 AM
[
Comments
]
In the continuing store about LinkedIn, the company now confirms that some of the more than 6 million password hashes were stolen and published online. The professional social networking site has now disabled the passwords for those affected members.
According to LinkedIn, those members should be receiving an email from LinkedIn with instructions on how to reset their passwords. No links will be contained in the email. This is purportedly being done to guard against any possible phishing attacks in which the attackers could send emails with instructions to reset passwords and links to web sites constructed to impersonate LInkedIn, trying to trick people into providing private info.
Once users follow the instructions in the LinkedIn email to request a password re-set, they should then receive an email from the company containing a password reset link. Anyone who uses the same password for other services should ensure that they change those passwords as well.
LinkedIn says that the newly reset passwords will be more securely stored using a salted hashed format, which the company is now using. The company has yet to confirm exactly how many accounts were compromised or how the databases were accessed, but says that it is continuing to investigate the situation.
The state-of-the-art is Password-Based Key Derivation Function 2 (PBKDF2), which stores passwords in a form which is, at present, almost uncrackable. LinkedIn does not use any such technology.
According to LinkedIn, those members should be receiving an email from LinkedIn with instructions on how to reset their passwords. No links will be contained in the email. This is purportedly being done to guard against any possible phishing attacks in which the attackers could send emails with instructions to reset passwords and links to web sites constructed to impersonate LInkedIn, trying to trick people into providing private info.
Once users follow the instructions in the LinkedIn email to request a password re-set, they should then receive an email from the company containing a password reset link. Anyone who uses the same password for other services should ensure that they change those passwords as well.
LinkedIn says that the newly reset passwords will be more securely stored using a salted hashed format, which the company is now using. The company has yet to confirm exactly how many accounts were compromised or how the databases were accessed, but says that it is continuing to investigate the situation.
The state-of-the-art is Password-Based Key Derivation Function 2 (PBKDF2), which stores passwords in a form which is, at present, almost uncrackable. LinkedIn does not use any such technology.
Comments
