The Google+ musings of

Max Huijgen

Think outside the box, Technology, European, Challenging your brain

[Reshare] Linked is apparently hacked, but this hassle could have been avoided

June 06, 2012 15 comments 4 shares 15 plus ones
View comments
View post on Google+

Now everyone needs to change his password which is impossible as the LinkedIn site is down under the load. We really need a distributed WebID service instead of all these accounts. 
Check out my recent post:
You sure you have a good password? Check the checkers first! as you could be much more vulnerable than you assumed!
https://plus.google.com/u/0/112352920206354603958/posts/Yr6TPrQ8YXB

Original post by +Jeff Sayre

Change Your LinkedIn Password Right Now!

Millions of passwords were hacked.


Comments

Join the discussion
Thomas Wrobel June 07, 2012

I  just hate now so many websites have "Login with facebook" but not OpenID. 

Naren Mangtani June 06, 2012

I assumed being around and popular for so long, their user base would be a lot lot higher than 190 M.

Max Huijgen June 06, 2012

+John Tamplin +Thomas Wrobel I don´t favor Webid over OpenId. I shared the post because of the importance of moving away from the current system.

Max Huijgen June 06, 2012

I followed up with this post +Jan Wildeboer and others as I wanted to check if my pw was compromised:
Is your LinkedIn password leaked? You can check it yourself!
https://plus.google.com/u/0/112352920206354603958/posts/S1CEj5sQSyD

Jonas Neergaard-Nielsen June 06, 2012

Thanks a lot for this warning +Max Huijgen!
I had indeed used a short password, shared between many other services - I opened all those accounts back in the days before I started using LastPass to keep randomly generated passwords (and stupid me never bothered to change all those old ones!)

Using the method mentioned here, I found that my password was among the stolen ones, and probably already cracked:
http://erratasec.blogspot.dk/2012/06/confirmed-linkedin-6mil-password-dump.html

Needless to say, I have spent the last hour or so updating all the services where I used that password!

Let that be a lesson for me - and others as careless as me...

Jan Wildeboer June 06, 2012

6.5M of 190M is a bit over 3%. I wouldn't call it a tiny fraction but it means 97% are safe ATM.

Naren Mangtani June 06, 2012

Thanks....changed my password. And LinkedIn didn't even send a message that it was updated. Finding such security hard to believe. But what's also interesting is, such a tiny fraction of the passwords were hacked; so says something about their good design maybe?

Robert Simpson June 06, 2012

I think the timing of what I see myself (the image in my post) is probably better evidence of how the passwords were compromised than the likelihood of a brute force or dictionary attack on the hashes.

Jan Wildeboer June 06, 2012

+Robert Simpson rumor has it that the passwords were stored as hashes (good) but the hashes did not use any salt (very bad) making it quite easy to crack the passwords (very, very bad).

Robert Simpson June 06, 2012

It doesn't matter how strong the #LinkedIn users passwords were. It appears that they were compromised via a #phishing attack.

https://plus.google.com/u/0/112416945907493718478/posts/ZqQ9gJLmFA3

John Tamplin June 06, 2012

I am not sold on what WebId provides over OpenID, but getting away from people having to have lots of passwords everywhere, putting all their eggs in one basket, and then protecting that basket seems a better idea.

For example, I have 2-factor authentication on my Google account, and I use OpenID with that account where possible rather than creating new ones.  Somebody snoops my password (which is harder since my Google domain is set to force SSL, but there could be keyloggers) still doesn't give access to my account or any external accounts that are tied to it via OpenID.

Thomas Wrobel June 06, 2012

umm....OpenID ? 

Jan Wildeboer June 06, 2012

I closed my LinkedIn Account. The sneaky copying of my calendar via the iOS app even after the whole path thing happened was 99% of the decision. The supposed password leak with unsalted hashes was the final drop.

Justin Gifford June 06, 2012

Thanks for the warning, +Max Huijgen. Just let my office know to change passwords. 

Jo Anne Thomas June 06, 2012

+Max Huijgen I am going to make mine the password in my joke on my page!!!!!!!
lol - kidding, but it is funny, check it out.
And of course, I just updated my linkedin yesterday!!