DonationCoder.com Forum
Main Area and Open Discussion => Living Room => Topic started by: IainB on June 06, 2012, 05:02 PM
-
EDIT 2012-06-08 2320hrs NZT
Included: Passwords Stolen From Last.FM, eHarmony And LinkedIn [Updates] (http://www.makeuseof.com/tag/last-fm-eharmony-and-linkedin-have-passwords-stolen-updates/)
===============================
Original post:
In case you haven't read about it, there has apparently been a huge leak of LinkedIn passwords by a Russian hacker.
Examples:
- LinkedIn confirms 6.5 million passwords leaked: report - msnbc.com (http://www.technolog.msnbc.msn.com/technology/technolog/linkedin-confirms-6-5-million-passwords-leaked-report-816238)
- LeakedIn (http://shiflett.org/blog/2012/jun/leakedin)
Changing your LinkedIn password now is a precaution against the risk that someone may use your LinkedIn account or ID - if yours is amongst the 6.5M.
To my knowledge, this is the second time something like this has happened at LinkedIn. The last time was on 2010-12-14, when LinkedIn emailed members telling them to change their passwords.
I hear that there is a rumour that LinkedIn may be considering changing its name to "LeakedIn". ;)
-
One of the few social (or whatever you call these) that I never signed up for. Finding careers through someone having access to my resume or 'professional activities' scares me. Finding a job or even networking is not the same as me posting a link or chatting on twitter/facebook/G+.
-
Don't type your password into random websites (leakedin)
-
To my knowledge, this is the second time something like this has happened at LinkedIn. The last time was on 2010-12-14, when LinkedIn emailed members telling them to change their passwords.
-IainB
IIRC, the first time was due to a gawker.com breach, and they were advising that as a precaution in case the same password was used on their site.
-
Don't type your password into random websites (leakedin)
-justice
Hi, Justice. I'm not really sure what you mean. Do you mean "enter your password some other way rather than typing it in"? Or do you mean that LinkedIn (which I agreed to join and for which I have set a specific password) is a "random website"?? :tellme:
-
To my knowledge, this is the second time something like this has happened at LinkedIn. The last time was on 2010-12-14, when LinkedIn emailed members telling them to change their passwords.
-IainB
IIRC, the first time was due to a gawker.com breach, and they were advising that as a precaution in case the same password was used on their site.
-daddydave
This recollection is true. And Linked In is the only social networking site that I've even seen as useful... so YMMV I guess...
-
Don't type your password into random websites (leakedin)
-justice
Hi, Justice. I'm not really sure what you mean. Do you mean "enter your password some other way rather than typing it in"? Or do you mean that LinkedIn (which I agreed to join and for which I have set a specific password) is a "random website"?? :tellme:
-cyberdiva
The leakedin website lets you type in your password, and it will check to see if it has been leaked by linkedin. I say don't type your passwords into any other website than the one it belongs to.
-
To my knowledge, this is the second time something like this has happened at LinkedIn. The last time was on 2010-12-14, when LinkedIn emailed members telling them to change their passwords.
-IainB
IIRC, the first time was due to a gawker.com breach, and they were advising that as a precaution in case the same password was used on their site.
-daddydave
Yes, that's right. The last one was because of a precaution, as a result of a breach at Gawker.com (assets include LifeHacker.com), and not a breach at LinkedIn. This is from the LinkedIn email to members, dated 2010-12-15:
...We recently sent you a message stating that your LinkedIn password had been disabled for security reasons. (Note: If you have more than one email registered with us, you will receive more than one password reset message. You only need to act on one of them.)
This was in response to a security breach on a different site, Gawker.com, where a number of usernames and passwords were exposed. We want to make sure those leaked emails and passwords were not being used to attack any LinkedIn members.
There is no indication that your LinkedIn account has been affected, but since it shares an email with the compromised Gawker accounts, we decided to ensure its safety by asking you to reset its password.
If you haven't done that already, now is a good time to follow these steps:
Go to the LinkedIn website.
Click on "Sign In".
Click on "Forgot Password?" and follow the directions on the website.
Please keep in mind that the best defense against these types of attacks is to have unique passwords for each site you use. You can always search our support site and our blog for more security tips.
We apologize for the inconvenience, but we feel this action is in your best interest. Thanks for your immediate attention to our request.
Sincerely,
LinkedIn Privacy Team
-
The leakedin website lets you type in your password, and it will check to see if it has been leaked by linkedin. I say don't type your passwords into any other website than the one it belongs to.
-justice
When I read your earlier message, I thought your parenthetical "(leakedin)" was referring to LinkedIn, since your message came not long after IainB's humorous remark about LinkedIn changing its name to LeakedIn. Now I see I was mistaken. I totally agree with your advice about not typing a password into sites other than the one it belongs to. Though LeakedIn is probably legitimate, there's always the possibility that it or a similar site may really be intent on gathering people's passwords, passwords typed in without even the protection that serious encryption offers.
-
Crikey, I didn't realise there was such a site as leakedin.com
Maybe I was being a bit unfair to LinkedIn...
-
The leakedin website lets you type in your password, and it will check to see if it has been leaked by linkedin. I say don't type your passwords into any other website than the one it belongs to.
-justice
When I read your earlier message, I thought your parenthetical "(leakedin)" was referring to LinkedIn, since your message came not long after IainB's humorous remark about LinkedIn changing its name to LeakedIn. Now I see I was mistaken. I totally agree with your advice about not typing a password into sites other than the one it belongs to. Though LeakedIn is probably legitimate, there's always the possibility that it or a similar site may really be intent on gathering people's passwords, passwords typed in without even the protection that serious encryption offers.
-cyberdiva
I took it that way, too. but this reminded me of one of my longtime annoyances with LinkedIn. It asks for your email login at the top of the page. At least once, I have mistaken this for an indication that I was not logged into LinkedIn and logged in with my email password by mistake. I'm not sure, maybe it used to have the password field right on the page instead of the Continue button.
[ You are not allowed to view attachments ]
-
...At least once, I have mistaken this for an indication that I was not logged into LinkedIn...
-daddydave
Yes, I noticed that too. Ruddy annoying cheek. I am not giving them my email contacts list to sell/spam.
-
Yes, I noticed that too. Ruddy annoying cheek. I am not giving them my email contacts list to sell/spam.
-IainB
Yes, both LinkedIn and Facebook ask me for my email login and password. Fat chance! What surprises me is how many people do provide this information willingly.
-
Thanks for the heads up. Changed. :(
Why must people run around being destructive? Can't they find something better to do?
-
I had a LinkedIn account but I deleted it a couple months ago. I wonder if I need to be concerned about this... :-\
-
Just changed the subject of this post to include: Passwords Stolen From Last.FM, eHarmony And LinkedIn (http://www.makeuseof.com/tag/last-fm-eharmony-and-linkedin-have-passwords-stolen-updates/)
-
How many will admit having an eHarmony account? ;D
-
How many will admit having an eHarmony account? ;D
-rgdot
That's unnecessarily unkind. ;)
-
How many will admit having an eHarmony account? ;D
-rgdot
That's unnecessarily unkind. ;)
-IainB
Maybe they can add having the same password to their matchmaking criteria.
-
How many will admit having an eHarmony account? ;D
-rgdot
That's unnecessarily unkind. ;)
-IainB
Maybe they can add having the same password to their matchmaking criteria.
-daddydave
I'm sure their profiles will be updated accordingly as soon as a 3rd party matching consultant (hacker) is "assigned" to their account(s).
-
I'm just thinking, if someone's LinkedIn password was "linkedin" or "password" or "abc123", and someone figures it out through a brute force attack and posts it on a web site, did the breach take place in LinkedIn or the user himself? Is that what happened, or did I mischaracterize the event?
So if those users change their password, what good will it do? They are going to change it to the same kind of guessable password.
EDIT: I guess I did mischaracterize this a bit, but there are two parts to this. A bunch of password hashes were obtained, and for some of them they were able to figure out the passwords. So apparently they are guessing passwords until they come up with one that matches the hash to confirm it, so that of course would be easier for those who chose those easy-to-guess passwords. I thnk it was the same way with the gawker.com breach.
Done editing now...except maybe for grammar, lol.
-
It also would have been better if the hashes were salted, because then I think you'd need to know the salt to recover the passwords.