URGENT: The LinkedIn Password Leak (Hack) is MUCH Worse Than You Think John P. (Wreck it Ralph) June 7, 2012 News 14 Comments 424 Shares Google+ 164 Twitter 67 Facebook 161 LinkedIn 29 Reddit 0 Pin It Share 2 Buffer 1 424 Shares × Today after widespread reporting that a Russian hacker had posted 6.5 million LinkedIn passwords on the Internet, the company officially confirmed the breach and urged users to log in and change their passwords. But no one has yet talked about the incredible threat that remains even after users do update their password on LinkedIn – the vulnerability that remains on every other service that shares the same user login details. In the past I’ve written about How I’d Hack Your Weak Passwords, and the most important thing to consider is the fact that most people use the same login name and password combination for many or all of the sites they log into. And hackers know this very well. Most people think that in the grand scheme of things, losing your LinkedIn account is not a big deal. After all, what are they going to do – post some porn on your profile? But if you stop and think about it, LinkedIn uses your email address and password as a matching combination to get into their safe. And so do many other sites – Amazon.com for example. Or maybe your email account? The value in obtaining the LinkedIn password list is not the fact that they can access your social media account. Its all the other stuff they can do with your password combination. Let’s look at a real example. Let’s suppose you are one of the 350 million Google Mail users, and you used that email, and your same password, to create your LinkedIn account. Well, now a hacker can do the following: Obviously, get into your LinkedIn account. Access your Gmail account and read all your mail. Attempt to log into your bank (or Amazon or ANY other account configured with your gmail account as the primary email), and even if you have a different password they can send a password reset request to YOUR email at which point they can change your password, locking you out, and getting access simultaneously. They could now go through and have replacement credit cards sent to another address after changing it online, and then go through taking over the rest of your life. So, with this one simple breach, a hacker can now order merchandise from your Amazon account, transfer money out of your bank, blackmail you with those private emails they found, and much, much more… The only response for those 6.5 million users is to immediately log in and change your password, not only on the LinkedIn site, but on ALL sites that use that password and login combination. So please, for the love of God, protect yourself now – and help spread the word so others can take appropriate action too. 14 Responses Phil June 7, 2012 This is why you use a different password on every website. Ideally it should be made up of random letters and numbers. I love having Keepass for this. It generates passwords for you and stores them in an encrypted file. Put that file in dropbox and you have access to it on all of your computers, phones, tablets, etc. Alastair June 7, 2012 I’m a big fan of Keepass myself – works brilliantly in portable mode with Dropbox. Vladimir June 8, 2012 Why wouldn’t you automate the use of your passwords instead of just encrypting them? You can still have them safely stored on a portable smartcard (which is a hacker-proof device) and backup them to an encrypted file. Secure storage is a half of the deal – the software we develop offer 100% automation of the password request across Windows and WEB clients. This way you don’t need to know, remember and type any passwords – the software will do it for you right from a secure portable smartcard storage. http://www.securesystems.lv/controlsphere.htm Jeffrey June 7, 2012 Thanks for the insights. While I do use a (probably very weak) system for having a unique password on every site, I also use 2-step verification on my gmail account. How much does that extra security step help to stop what a hacker could do with my LinkedIn password & email address? Is there a method to getting access to more of my logins even if a hacker can’t actually get into my email account? John P. (Wreck it Ralph) June 7, 2012 Jeffrey, Those extra steps will probably keep you safe, as having a different password on each site will take care of automated hacking attempts. The only other good way to get your email addresses would be to breach your computer and if you had them stored on a document you’d be vulnerable. So turn on the firewall on your router, and keep your antivirus software up to date if you’re on a PC for sure! John P. Alastair June 7, 2012 Just a warning on the 2-step verification on your Gmail account: hackers got into the Gmail account of the CloudFlare CEO (google it) despite his use of 2-step verification. It’s believed they had discovered his cellphone number and either hacked or social engineered AT&T support staff into giving access. Jason June 7, 2012 +1 to Phil … I use Lastpass, myself, and was happy to see that my LinkedIn password was the only time that password was used, so I just had to reset that and not worry about it. Also, you can mitigate your concerns about your Google/Gmail account by turning on 2-step authentication. John June 7, 2012 Quite some time ago I stopped using stupid/repeated passwords. But it wasn’t until the gawker problem (about a year ago) when I decided I had to take control over the usernames as well. Since web sites usually force them to be email addresses, I went to godaddy and got 100 email addresses that I alias back to the same address. This way, whenever I make a new account on a web site, I first create a unique email alias and then use that to register. I already did this for linkedin, so no worries — my “username” there was unique! Kim Attree June 7, 2012 I have the password file already, and its simple SHA1 hashes only – no email addresses, so combining a list of 6.1 million unique passwords with unknown mail addresses is about as useful as any bloated wordlist brute-force hack. Without the email address linked to the password hash, things are more difficult than this article describes… John P. (Wreck it Ralph) June 7, 2012 Kim, You are assuming that a list which contains both passwords and email addresses does not exist. That is a bad assumption. I would bet BIG money they have both, but why would they give them to you for free when there is real money to be made selling them on the black market. Right now I’m sure they are taking bids from criminals for access to that list, and as soon as they get what they want they’ll sell it. It’s definitely as bad as I said it is… John P. Erik Boles June 7, 2012 This is a common problem: I either use a simple password and use it everywhere, or I use multiple complex passwords, which i cannot remember or I write them down, which historically has been a no-no. As a Security Engineer with 23 years experience (currently working for McAfee/Intel) I used preach the following solution speaking at conferences: use complex passwords, one per system, and write them down and put them in your wallet or purse. if you’re wallet or purse gets stolen, you immediately go into accountant mode. “what was in there?!” you ask. then you start calling banks, credit card companies, etc. If you have your passwords in there, that will be the next thing on your list. This has gotten even easier now with many different mobile apps and desktop apps that manage passwords for you, very securely. In short, with all the tools at your disposal, if you are sharing simple passwords amongst systems, you will get compromised, and you probably won’t do it again. Erik Boles http://twitter.com/ErikBoles Terry June 7, 2012 I found it easier to have unique passwords if I create them using the same method. For example, (Not my combination BTW) Last 4 letters of the site with the last letter in Caps (Geekbeat = Beat) Last 3 letters of my middle name (Ebenezer = zer), 1 number based on the # of letter for the Sites title (Geekbeat = 8) Symbol that is directly above the first letter of the site on the keyboard (G = %). So Geekbeat would be Beatzer8% Youtube would be Tubezer7^ *Not my exact method so those are not close to my passwords Chuck June 7, 2012 Excellent points. I recently changed all my main, most important passwords to something much more difficult to figure out. I still have many out there with the same password but nothing too critical and am slowing going to them and updating them. I have not seen a linkedin email yet so it seems I was not one of the 6.5 million, still I changed it. Paul Kelly June 12, 2012 I’m unsure about this being a problem. I use one email/password combination for all my non-fiscal, one password for my primary email, and a few for my transactional. I still seems ludicrous to expect people to change passwords extremely frequently or not repeat passwords across many non-fiscal accounts. Amazon, for example, only would allow a hacker to ship items to my house or apartment without asking for another set of info.