Over 6 million passwords were posted on a Russian forum online
Business social network LinkedIn was the target of a cyber attack this week where over 6 million passwords were stolen and posted on the Web.
On Monday, about 6.5 million passwords were stolen and posted on a Russian online forum. Some of the passwords were connected to LinkedIn accounts, where security experts believe the hackers obtained the huge list of passwords. Russian hackers are suspected to be behind the cyber attack, but the exact culprits have not been identified.
The hackers posted half of the passwords in a cryptographic code called SHA-1, which is used by companies that have many passwords as a way of hashing them. However, the other half of the passwords were decoded and posted in such a way that they were understandable to humans.
It was discovered that LinkedIn used SHA-1 to hash its passwords, but the problem is that it only used SHA-1 and nothing else. SHA-1 is not effective enough to use on its own because it translates the same text the same exact way each time, meaning that two separate passwords being the word “password” would be hashed the same way. This makes the password easier to decode.
Security experts say that companies should also use salt in addition to SHA-1. Salt serves as an additional security layer by adding a piece of random information to a hashed password. This makes it unique and changes the underlying text so that it’s difficult to be decoded.
LinkedIn was not using salt; only SHA-1. Per Thorsheim, chief information security advisor at Norwegian IT company EVRY, said using SHA-1 without salt is “a great risk.”
LinkedIn is now seeing the results of this risk, but recently posted a blog entry that said it enhanced its security efforts by hashing and salting current passwords. It’s unclear how recent salt was put into place.
So far, no user names have been identified on the list. Many are hoping that the attack was simply a wake-up call for LinkedIn where the hackers have no other intentions beyond posting the passwords. However, if the hack was conducted by professionals, LinkedIn could see much more trouble ahead.
LinkedIn users are being told to change their passwords to avoid further issues. LinkedIn confirmed the hack in a blog post that can be seen here.