Embedded Business News

LinkedIn Hacked, Passwords Please No Salt

By Bill Giovino
Jun 7, 2012 - 2:38:33 PM

Passwords kinda revealed, LinkedIn security kinda improved, something about barn doors and horses.

LinkedIn, the professional networking site popular among embedded systems professionals, has been hacked. Encrypted passwords of 6.5 million LinkedIn members have been revealed on a Russian website.

LinkedIn Hacked, Passwords Please No Salt
While the encrypted passwords have been publicly posted, no names or email addresses were revealed. Of course, this does not mean that the hackers do not have names and email addresses and have just chosen not to post them.

Like many websites, LinkedIn hashed the passwords using SH-1 encryption. This makes it almost impossible to decrypt the passwords by themselves. However, LinkedIn's Engineers did not salt the SH-1 encryption. Without salt, hackers can compare the list to a rainbow table of words and hashed passwords. By matching the hashed passwords to the hashes in the rainbow table the original password can be discovered. If the user has a hacked account on another website that uses the same password, email addresses can be matched to passwords and your LinkedIn account has gets violated.

It appears that many LinkedIn members use the unimaginably unimaginable password of "linkedin", as the SH-1 hash of that word appears more than once in the leaked password list.

Gone Phishing
There has also been a flood of phishing emails. Many LinkedIn members with weak spam protection are receiving dozens of email invitations to connect with new (fake) contacts. There have also been some fake "change your password now" emails (the real LinkedIn password change email contains no links).

Expect these phishing attempts to get more creative in the next few days. Some won't be as easy to spot as this hilarious example here:

LinkedIn Fake Password Change Email. Duh.
LinkedIn Fake Password Change Email. Duh.

Changing your LinkedIn Pasword
I manage the LinkedIn Semiconductor Sales & Marketing group and I've already advised my 18,000 brilliant and good-looking members to change their passwords. You should, too.

To change your LinkedIn password follow these steps:

  1. Log into your LinkedIn account by typing directly in your browser's address
  2. In the upper-right hand corner, click on your name and from the drop-down list select "Settings".
  3. From Settings, next to the word Password click "Change"
  4. Follow, follow, follow the instructions.

The best passwords are a combination of words, numbers, and at least one special character such as !,#,$,%, etc. So use the %$#*& special characters.

And when you are on LinkedIn, always, always, ALWAYS make sure that your browser's address bar shows Check it carefully - for example here, the "L" is, instead, the number one. Remember, hackers are creative spellers.

LinkedIn Hacked, Passwords Please No Salt

© Copyright 2019