Millions of LinkedIn and eHarmony passwords leaked online

7 Jun 2012

Passwords for accounts on both LinkedIn and eHarmony have been compromised, and users of both are advised to make secure changes.

Yesterday, LinkedIn confirmed that passwords found posted to the InsidePro forums were indeed from the social network’s accounts and, today, eHarmony has stated that passwords for some of its accounts have also been breached.

Over the course of three days, an unknown hacker under the username ‘dwdm’ posted lengthy lists of password hashes (cryptographic representations generated by an algorithm) to the forums, asking for help in cracking them. Hashes are easily decoded using free software, especially if the password is short, and one ‘helpful’ user managed to crack more than 1.22m within two minutes of posting, Ars Technica reported.

Account holders advised to change passwords

In total, around 8m hashes were posted to the site and it is estimated that about 5.8m correspond with LinkedIn accounts, and 1.5m with eHarmony accounts.

These threads have since been removed from the forum, and both LinkedIn and eHarmony have reset passwords for accounts at risk and notified these users of the breach.

However, one would be safer in assuming that the hacker in question may possess even more hashes than were posted online. Though none of the hashes listed came with a corresponding username, members of either LinkedIn or eHarmony – whether they have been notified of a breach or not – are advised to change their passwords, and to do so on other accounts where the same password might be used.

Need for increased password security

Password hashing uses SHA-1 encryption, which is a low-security measure and can easily be decoded. However, if these passwords were also salted, which involves adding a string of random characters to the password before hashing, they would be much harder for hackers to crack.

In a post on the company blog, LinkedIn director Vicente Silveira assured users that enhanced security measures have recently been put into place, including hashing and salting their current password databases. He also wrote a post on creating new secure passwords and provided other security and privacy tips.

UPDATE: Phishing attacks on LinkedIn users have already been reported following the security breach. Users who have received emails notifications asking that they confirm their email address by clicking an embedded link are advised to ignore these notifications and change their password immediately.

Password hacker image via Shutterstock

Elaine Burke is the host of For Tech’s Sake, a co-production from Silicon Republic and The HeadStuff Podcast Network. She was previously the editor of Silicon Republic.