The last few days have seen security breaches at 3 different social networking sites. Professional networking site LinkedIn, dating site eHarmony and music forum Last.fm have all been hacked and seen user details such as passwords leaked online. In some instances email addresses may be linked with the corresponding passwords.
The technology news site Ars Technica reported Wednesday that a total of 8 million encrypted passwords were published on underground forums by a hacker known as ‘dwdm’, and that he was seeking help unscrambling them. It was not clear whether all 8 million of the passwords belonged to users of LinkedIn and eHarmony, or if the hacker had stolen an even larger number of credentials and just posted some of them.
eHarmony has confirmed that its security has been breached and more than 1.5 million user names and passwords leaked online.
LinkedIn has also confirmed the security breach in a brief statement made to the Boston Business Journal, informing that some of the nearly 6.5 million passwords published to a Russian hacker forum are connected to its user accounts.
“We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts,” LinkedIn Director Vicente Silveira wrote in a blog post Wednesday afternoon. “We are continuing to investigate this situation.”
Becky Teraoka of eHarmony states on their blog that “The security of our customers’ information is extremely important to us, and we do not take this situation lightly.” She adds that they use robust security measures including password hashing and data encryption to protect the members’ personal information.
Both Silveira and Teraoka said that the two organisations had invalidated the passwords of members whose data had been breached and that the companies would send out emails to those affected with instructions on how to reset the password.
LinkedIn confirms it has taken steps to control the damage, outlined in its blog post today:
- Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
- These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.
- These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.
LinkedIn is also adding encryption to its password database, a process called “hashing and salting“.
However, we know that LinkedIn has 160 million users globally; 9 million of these are in the UK. LinkedIn has not confirmed how many passwords has been leaked, nor where the users are located. All we know is that the hacker published the passwords he needed help with cracking, and this could possibly mean that they have access to more passwords then initially suspected.
Last.fm has published a security update for their users, advising them to reset their passwords. They have also made a statement that they will not send emails to their members with information how to reset the password, as a precautionary measure.
Even though it is not clear whether the hacker also got other sensitive personal information such as email addresses, one must assume that this information could be in the hands of criminals. As a safety precaution it is worth changing all passwords in use online urgently, and to not use the same password across multiple sites.
The Omniquad Team