by Andy Greenberg, Forbes, Inc.
The news came today that Linked-In security was breached and hackers had posted passwords online. Changing passwords is a good idea on a regular basis, but may be required repeatedly as we learn in this article that appeared on Forbes.com.
For a Web firm like LinkedIn, there’s a fate worse than confessing to a massive security breach: Failing to detect an ongoing one.
Hours after reports surfaced Wednesday that LinkedIn had suffered an intrusion by Russian hackers who leaked 6.5 million of the site’s’ passwords, Linkedin has yet to confirm that it’s either found or remediated the problem. “Our team is currently looking into reports of stolen passwords. Stay tuned for more,” the company wrote in its Twitter feed around 6am Pacific time Wednesday. Around 9am, it still hadn’t confirmed the leak: Our team continues to investigate, but at this time, we’re still unable to confirm that any security breach has occurred. Stay tuned here.”
Despite LinkedIn’s lack of a definitive response, two security firms–Sophos and Rapid7–have already confirmed the breach by finding users’ passwords in the leaked file posted online by hackers, according to the Wall Street Journal’s CIO Journal.
The file posted online by hackers contained 6.46 million LinkedIn passwords stored in a “hashed” form designed to be indecipherable if breached. But the company failed to “salt” its hashes, a process that adds random values to the data and makes it far harder to crack. It may be only a matter of time until users’ passwords are successful unscrambled; Posts to some password cracking forums indicated that as many as 300,000 of the passwords may have already been deciphered.
Many security experts have recommended that users change their passwords. But if LinkedIn’s hackers still have hidden access to the company’s servers, that may not be enough. “If LinkedIn hasn’t been able to confirm the breach, they havent fixed it either,” wrote Twitter’s security and cryptography guru Moxie Marlin in his Twitter feed. “You can change your PW, but attackers can just get it again.”