Now everyone needs to change his password which is impossible as the LinkedIn site is down under the load. We really need a distributed WebID service instead of all these accounts.
Check out my recent post:
You sure you have a good password? Check the checkers first! as you could be much more vulnerable than you assumed!
https://plus.google.com/u/0/112352920206354603958/posts/Yr6TPrQ8YXB
Yet Another Reason We Need Distributed Identity
Reports are starting to coming that millions of LinkedIn passwords have been stolen. LinkedIn has yet to verify this, but they have tweeted that they are looking into the report.
Just to be safe, you should change your LinkedIn password immediately. Also, if you are using that password for any other InterWeb account -- which is a big no no -- then you will need to change your password at those accounts as well.
This is yet another reason, among many, why we need distributed identity like WebID. With WebID, this could not happen. Yes, the server on which you hold your private certificate could be compromised, but that would effect just a single person, not millions of users. The potential damage in a scenario like that would be extremely limited.
Until the Web moves to distributed identity controls, situations like this will become more common and more worrisome.
#privacy #identity #WebID #SocialWeb
Comments
Join the discussionI just hate now so many websites have "Login with facebook" but not OpenID.
I assumed being around and popular for so long, their user base would be a lot lot higher than 190 M.
+John Tamplin +Thomas Wrobel I don´t favor Webid over OpenId. I shared the post because of the importance of moving away from the current system.
I followed up with this post +Jan Wildeboer and others as I wanted to check if my pw was compromised:
Is your LinkedIn password leaked? You can check it yourself!
https://plus.google.com/u/0/112352920206354603958/posts/S1CEj5sQSyD
Thanks a lot for this warning +Max Huijgen!
I had indeed used a short password, shared between many other services - I opened all those accounts back in the days before I started using LastPass to keep randomly generated passwords (and stupid me never bothered to change all those old ones!)
Using the method mentioned here, I found that my password was among the stolen ones, and probably already cracked:
http://erratasec.blogspot.dk/2012/06/confirmed-linkedin-6mil-password-dump.html
Needless to say, I have spent the last hour or so updating all the services where I used that password!
Let that be a lesson for me - and others as careless as me...
6.5M of 190M is a bit over 3%. I wouldn't call it a tiny fraction but it means 97% are safe ATM.
Thanks....changed my password. And LinkedIn didn't even send a message that it was updated. Finding such security hard to believe. But what's also interesting is, such a tiny fraction of the passwords were hacked; so says something about their good design maybe?
I think the timing of what I see myself (the image in my post) is probably better evidence of how the passwords were compromised than the likelihood of a brute force or dictionary attack on the hashes.
+Robert Simpson rumor has it that the passwords were stored as hashes (good) but the hashes did not use any salt (very bad) making it quite easy to crack the passwords (very, very bad).
It doesn't matter how strong the #LinkedIn users passwords were. It appears that they were compromised via a #phishing attack.
https://plus.google.com/u/0/112416945907493718478/posts/ZqQ9gJLmFA3
I am not sold on what WebId provides over OpenID, but getting away from people having to have lots of passwords everywhere, putting all their eggs in one basket, and then protecting that basket seems a better idea.
For example, I have 2-factor authentication on my Google account, and I use OpenID with that account where possible rather than creating new ones. Somebody snoops my password (which is harder since my Google domain is set to force SSL, but there could be keyloggers) still doesn't give access to my account or any external accounts that are tied to it via OpenID.
umm....OpenID ?
I closed my LinkedIn Account. The sneaky copying of my calendar via the iOS app even after the whole path thing happened was 99% of the decision. The supposed password leak with unsalted hashes was the final drop.
Thanks for the warning, +Max Huijgen. Just let my office know to change passwords.
+Max Huijgen I am going to make mine the password in my joke on my page!!!!!!!
lol - kidding, but it is funny, check it out.
And of course, I just updated my linkedin yesterday!!