[Reshare] Linked is apparently hacked, but this hassle could have been avoided
Now everyone needs to change his password which is impossible as the LinkedIn site is down under the load. We really need a distributed WebID service instead of all these accounts.
Check out my recent post:
You sure you have a good password? Check the checkers first! as you could be much more vulnerable than you assumed!
Original post by +Jeff Sayre
Millions of passwords were hacked.
CommentsJoin the discussion
I just hate now so many websites have "Login with facebook" but not OpenID.
I assumed being around and popular for so long, their user base would be a lot lot higher than 190 M.
I don´t favor Webid over OpenId. I shared the post because of the importance of moving away from the current system.
I followed up with this post
Is your LinkedIn password leaked? You can check it yourself!
Thanks a lot for this warning
I had indeed used a short password, shared between many other services - I opened all those accounts back in the days before I started using LastPass to keep randomly generated passwords (and stupid me never bothered to change all those old ones!)
Using the method mentioned here, I found that my password was among the stolen ones, and probably already cracked:
Needless to say, I have spent the last hour or so updating all the services where I used that password!
Let that be a lesson for me - and others as careless as me...
6.5M of 190M is a bit over 3%. I wouldn't call it a tiny fraction but it means 97% are safe ATM.
Thanks....changed my password. And LinkedIn didn't even send a message that it was updated. Finding such security hard to believe. But what's also interesting is, such a tiny fraction of the passwords were hacked; so says something about their good design maybe?
I think the timing of what I see myself (the image in my post) is probably better evidence of how the passwords were compromised than the likelihood of a brute force or dictionary attack on the hashes.
rumor has it that the passwords were stored as hashes (good) but the hashes did not use any salt (very bad) making it quite easy to crack the passwords (very, very bad).
It doesn't matter how strong the #LinkedIn users passwords were. It appears that they were compromised via a #phishing attack.
I am not sold on what WebId provides over OpenID, but getting away from people having to have lots of passwords everywhere, putting all their eggs in one basket, and then protecting that basket seems a better idea.
For example, I have 2-factor authentication on my Google account, and I use OpenID with that account where possible rather than creating new ones. Somebody snoops my password (which is harder since my Google domain is set to force SSL, but there could be keyloggers) still doesn't give access to my account or any external accounts that are tied to it via OpenID.
I closed my LinkedIn Account. The sneaky copying of my calendar via the iOS app even after the whole path thing happened was 99% of the decision. The supposed password leak with unsalted hashes was the final drop.
Thanks for the warning,. Just let my office know to change passwords.
I am going to make mine the password in my joke on my page!!!!!!!
lol - kidding, but it is funny, check it out.
And of course, I just updated my linkedin yesterday!!