Author Topic: If you are a LinkedIn/Last.FM/eHarmony user, then change your password pronto. (Read 14282 times)

IainB · « **on:** June 06, 2012, 05:02 PM »

EDIT 2012-06-08 2320hrs NZT
Included: Passwords Stolen From Last.FM, eHarmony And LinkedIn [Updates]

===============================
Original post:
In case you haven't read about it, there has apparently been a huge leak of LinkedIn passwords by a Russian hacker.
Examples:

Changing your LinkedIn password now is a precaution against the risk that someone may use your LinkedIn account or ID - if yours is amongst the 6.5M.

To my knowledge, this is the second time something like this has happened at LinkedIn. The last time was on 2010-12-14, when LinkedIn emailed members telling them to change their passwords.

I hear that there is a rumour that LinkedIn may be considering changing its name to "LeakedIn".

rgdot · « **Reply #1 on:** June 06, 2012, 05:45 PM »

One of the few social (or whatever you call these) that I never signed up for. Finding careers through someone having access to my resume or 'professional activities' scares me. Finding a job or even networking is not the same as me posting a link or chatting on twitter/facebook/G+.

justice · « **Reply #2 on:** June 07, 2012, 08:42 AM »

Don't type your password into random websites (leakedin)

daddydave · « **Reply #3 on:** June 07, 2012, 08:48 AM »

To my knowledge, this is the second time something like this has happened at LinkedIn. The last time was on 2010-12-14, when LinkedIn emailed members telling them to change their passwords.
-IainB (June 06, 2012, 05:02 PM)

IIRC, the first time was due to a gawker.com breach, and they were advising that as a precaution in case the same password was used on their site.

cyberdiva · « **Reply #4 on:** June 07, 2012, 11:19 AM »

Don't type your password into random websites (leakedin)
-justice (June 07, 2012, 08:42 AM)

Hi, Justice. I'm not really sure what you mean. Do you mean "enter your password some other way rather than typing it in"? Or do you mean that LinkedIn (which I agreed to join and for which I have set a specific password) is a "random website"??

wraith808 · « **Reply #5 on:** June 07, 2012, 02:13 PM »

To my knowledge, this is the second time something like this has happened at LinkedIn. The last time was on 2010-12-14, when LinkedIn emailed members telling them to change their passwords.
-IainB (June 06, 2012, 05:02 PM)

IIRC, the first time was due to a gawker.com breach, and they were advising that as a precaution in case the same password was used on their site.
-daddydave (June 07, 2012, 08:48 AM)

This recollection is true. And Linked In is the only social networking site that I've even seen as useful... so YMMV I guess...

justice · « **Reply #6 on:** June 07, 2012, 04:40 PM »

Don't type your password into random websites (leakedin)
-justice (June 07, 2012, 08:42 AM)
Hi, Justice. I'm not really sure what you mean. Do you mean "enter your password some other way rather than typing it in"? Or do you mean that LinkedIn (which I agreed to join and for which I have set a specific password) is a "random website"??
-cyberdiva (June 07, 2012, 11:19 AM)

The leakedin website lets you type in your password, and it will check to see if it has been leaked by linkedin. I say don't type your passwords into any other website than the one it belongs to.

IainB · « **Reply #7 on:** June 07, 2012, 05:39 PM »

To my knowledge, this is the second time something like this has happened at LinkedIn. The last time was on 2010-12-14, when LinkedIn emailed members telling them to change their passwords.
-IainB (June 06, 2012, 05:02 PM)
IIRC, the first time was due to a gawker.com breach, and they were advising that as a precaution in case the same password was used on their site.
-daddydave (June 07, 2012, 08:48 AM)

Yes, that's right. The last one was because of a precaution, as a result of a breach at Gawker.com (assets include LifeHacker.com), and not a breach at LinkedIn. This is from the LinkedIn email to members, dated 2010-12-15:

...We recently sent you a message stating that your LinkedIn password had been disabled for security reasons. (Note: If you have more than one email registered with us, you will receive more than one password reset message. You only need to act on one of them.)
This was in response to a security breach on a different site, Gawker.com, where a number of usernames and passwords were exposed. We want to make sure those leaked emails and passwords were not being used to attack any LinkedIn members.
There is no indication that your LinkedIn account has been affected, but since it shares an email with the compromised Gawker accounts, we decided to ensure its safety by asking you to reset its password.
If you haven't done that already, now is a good time to follow these steps:
Go to the LinkedIn website.
Click on "Sign In".
Click on "Forgot Password?" and follow the directions on the website.

Please keep in mind that the best defense against these types of attacks is to have unique passwords for each site you use. You can always search our support site and our blog for more security tips.
We apologize for the inconvenience, but we feel this action is in your best interest. Thanks for your immediate attention to our request.

Sincerely,

LinkedIn Privacy Team

cyberdiva · « **Reply #8 on:** June 07, 2012, 05:50 PM »

The leakedin website lets you type in your password, and it will check to see if it has been leaked by linkedin. I say don't type your passwords into any other website than the one it belongs to.
-justice (June 07, 2012, 04:40 PM)

When I read your earlier message, I thought your parenthetical "(leakedin)" was referring to LinkedIn, since your message came not long after IainB's humorous remark about LinkedIn changing its name to LeakedIn. Now I see I was mistaken. I totally agree with your advice about not typing a password into sites other than the one it belongs to. Though LeakedIn is probably legitimate, there's always the possibility that it or a similar site may really be intent on gathering people's passwords, passwords typed in without even the protection that serious encryption offers.

IainB · « **Reply #9 on:** June 07, 2012, 06:05 PM »

Crikey, I didn't realise there was such a site as leakedin.com

Maybe I was being a bit unfair to LinkedIn...

daddydave · « **Reply #10 on:** June 07, 2012, 06:05 PM »

The leakedin website lets you type in your password, and it will check to see if it has been leaked by linkedin. I say don't type your passwords into any other website than the one it belongs to.
-justice (June 07, 2012, 04:40 PM)
When I read your earlier message, I thought your parenthetical "(leakedin)" was referring to LinkedIn, since your message came not long after IainB's humorous remark about LinkedIn changing its name to LeakedIn. Now I see I was mistaken. I totally agree with your advice about not typing a password into sites other than the one it belongs to. Though LeakedIn is probably legitimate, there's always the possibility that it or a similar site may really be intent on gathering people's passwords, passwords typed in without even the protection that serious encryption offers.
-cyberdiva (June 07, 2012, 05:50 PM)

I took it that way, too. but this reminded me of one of my longtime annoyances with LinkedIn. It asks for your email login at the top of the page. At least once, I have mistaken this for an indication that I was not logged into LinkedIn and logged in with my email password by mistake. I'm not sure, maybe it used to have the password field right on the page instead of the Continue button.

IainB · « **Reply #11 on:** June 07, 2012, 06:08 PM »

...At least once, I have mistaken this for an indication that I was not logged into LinkedIn...
-daddydave (June 07, 2012, 06:05 PM)

Yes, I noticed that too. Ruddy annoying cheek. I am not giving them my email contacts list to sell/spam.

cyberdiva · « **Reply #12 on:** June 07, 2012, 08:17 PM »

Yes, I noticed that too. Ruddy annoying cheek. I am not giving them my email contacts list to sell/spam.
-IainB (June 07, 2012, 06:08 PM)

Yes, both LinkedIn and Facebook ask me for my email login and password. Fat chance! What surprises me is how many people do provide this information willingly.

Renegade · « **Reply #13 on:** June 07, 2012, 10:06 PM »

Thanks for the heads up. Changed.

Why must people run around being destructive? Can't they find something better to do?

Deozaan · « **Reply #14 on:** June 08, 2012, 12:47 AM »

I had a LinkedIn account but I deleted it a couple months ago. I wonder if I need to be concerned about this... $:-\$

IainB · « **Reply #15 on:** June 08, 2012, 06:19 AM »

Just changed the subject of this post to include: Passwords Stolen From Last.FM, eHarmony And LinkedIn

rgdot · « **Reply #16 on:** June 08, 2012, 06:26 AM »

How many will admit having an eHarmony account?

IainB · « **Reply #17 on:** June 08, 2012, 07:33 AM »

How many will admit having an eHarmony account?
-rgdot (June 08, 2012, 06:26 AM)

That's unnecessarily unkind.

daddydave · « **Reply #18 on:** June 08, 2012, 07:35 AM »

How many will admit having an eHarmony account?
-rgdot (June 08, 2012, 06:26 AM)
That's unnecessarily unkind.
-IainB (June 08, 2012, 07:33 AM)

Maybe they can add having the same password to their matchmaking criteria.

Stoic Joker · « **Reply #19 on:** June 08, 2012, 11:35 AM »

How many will admit having an eHarmony account?
-rgdot (June 08, 2012, 06:26 AM)
That's unnecessarily unkind.
-IainB (June 08, 2012, 07:33 AM)

Maybe they can add having the same password to their matchmaking criteria.
-daddydave (June 08, 2012, 07:35 AM)

I'm sure their profiles will be updated accordingly as soon as a 3rd party matching consultant (hacker) is "assigned" to their account(s).

daddydave · « **Reply #20 on:** June 08, 2012, 12:03 PM »

I'm just thinking, if someone's LinkedIn password was "linkedin" or "password" or "abc123", and someone figures it out through a brute force attack and posts it on a web site, did the breach take place in LinkedIn or the user himself? Is that what happened, or did I mischaracterize the event?

So if those users change their password, what good will it do? They are going to change it to the same kind of guessable password.

EDIT: I guess I did mischaracterize this a bit, but there are two parts to this. A bunch of password hashes were obtained, and for some of them they were able to figure out the passwords. So apparently they are guessing passwords until they come up with one that matches the hash to confirm it, so that of course would be easier for those who chose those easy-to-guess passwords. I thnk it was the same way with the gawker.com breach.

Done editing now...except maybe for grammar, lol.

Deozaan · « **Reply #21 on:** June 08, 2012, 05:10 PM »

It also would have been better if the hashes were salted, because then I think you'd need to know the salt to recover the passwords.