NEWS

This Is How Easy It Is To Get Your Password Stolen Online

By Carlton Purvis

As LinkedIn is slammed online for weak password practices, the result of the leak of 6.5 million passwords has started an online free-for-all for hackers and web designers looking to cash in (or teach a lesson or two).

LinkedIn confirmed in a Wednesday statement that some passwords were compromised. Passwords of members who were affected will no longer work and they will receive an e-mail with instructions on how to reset them, the company said.

“There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link,” the statement said.

Within hours, LinkedIn users began receiving fake emails directing them to confirm their e-mail address through a link provided in the body of the message.

“Because similar emails have been circulating for some time it is hard to say if this is an example of a coordinated scam designed to leverage the security breach made public today, or simply a coincidence…Sadly, we are likely to see more of these emails as LinkedIn tries to rebuild trust among members,” wrote ESET researcher Cameron Camp earlier this week

Several online security companies are investigating the details of the latest round of LinkedIn emails, but say in the meantime, users should visit the site's homepage directly if they’re worried about clicking suspicious links.

The homepage may not be any safer though says Web builder Chris Shiflett--at least it wasn’t at some point in the past. Shiflett says people who visited the LinkedIn homepage “were shown a fake log in form that attempts to trick users into giving away their email password.”

Shiflett says his password was one that had been leaked and cracked, so on his blog he provided a way for other users to find out if their passwords were among those leaked. It’s pretty technical so he and some friends created a web-friendly version.

“Cleverly, we are calling it LeakedIn. The app hashes your password using JavaScript, so your password never leaves your computer. You can verify this by viewing source, but if you prefer, you can also just provide your hash. We'll let you know if your password is one of the 6.5 million that were leaked as well as if it has already been cracked,” he writes.

Security experts recommend all LinkedIn users change their passwords immediately if they haven’t already. Shiflett says since LinkedIn doesn’t know how the leak happened and hasn’t fixed anything yet, that people should assume their new passwords are compromised too.

Visit LeakedIn here: http://leakedln.org/.

Comments

View Recent News (by day)

 




Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.