[By Sudarshana Banerjee]
Reports surfaced in the European press of a packet of some 6.5 million LinkedIn passwords being up for grabs in a Russian hacker website. LinkedIn has now confirmed that indeed some of its member passwords have been breached, though the professional networking site is not saying exactly how many is the ‘some’ of the breach.
Vicente Silveira (Director, LinkedIn): We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts.
What happens next? LinkedIn members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid. They will also receive two emails from LinkedIn, the first providing details on how they can reset their passwords, and the second mail outlining why they have to. If you have a LinkedIn account, you may want to go ahead and change your password, just to be on the safe site. Especially so if your LinkedIn password is used elsewhere (online banking perhaps?)
LinkedIn says it just put in enhanced security in place, including hashing and salting of their current password databases.”It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases,” says Mr. Silveira.
Hashing changes the passwords to a different fixed-size string of data, making it very very difficult to deduce the original password in the event of a compromise. A cryptographic salt is data used during hashing to eliminate the possibility of the output being looked up in a list of pre-calculated hashes. Hashing and salting are standard password storing practices. It is not clear whether the ‘enhanced security’ was put in place after the breach, or if hackers somehow got through to 6.5 million hashed passwords and account details.