6.5 Million LinkedIn Passwords May Be In Hands of Hackers
LinkedIn on Wednesday morning was still unable to confirm reports that 6.5 million user passwords had been exposed. But Sophos has discovered LinkedIn password information posted on a Russian hacker site.
"Although the data which has been released so far does not include associated e-mail addresses, it is reasonable to assume that such information may be in the hands of the criminals," Graham Cluley, senior security analyst at Sophos, wrote in his blog.
"Investigations by Sophos researchers have confirmed that the file does contain, at least in part, LinkedIn passwords."
How Did It Happen?
We caught up with Neil Roiter, research director at Corero Network Security, to get his reaction to the news. He told us the reported LinkedIn password breach is a good reminder to use a different password for each of the Web sites you access.
"The larger question to be answered is how the hackers were able to break in and steal the passwords, and what personally identifiable information, if any, also may have been stolen," Roiter said. "People will want assurances that LinkedIn will discover how they were breached, take appropriate steps to prevent a recurrence and review their overall security practices."
SQL Injection Likely
We turned to Dave Pack, director of LogRhythm Labs, to get additional insights about the reported breach. Without specific details of the attack, he told us it's difficult to determine exactly what could have been done to help protect the sensitive data. However, he added, most database breaches are the result of a vulnerable Web application front-end being exploited using SQL injection.
"According to our research, it is extremely common for successful attackers to utilize automated SQL injection tools such as sqlmap or Havij," Pack said. "Such tools leave behind a log trail on the Web server which at first glance makes the attack appear complex, but also makes it easy to detect."
Pack offered an example: By default these tools put their own names into the User Agent string of the http requests they make. He said user agent whitelisting and blacklisting can be used to make sure automated SQL injection tools are immediately identified if they try to do Web application reconnaissance or launch an attack.
"These tools put quite a bit of SQL syntax into URL parameters. Most Web applications have no legitimate need for SQL in the actual URLs. Alarming on this syntax along with encoded variations will detect both automated tool usage as well as manual Web application attacks," Pack said.
"As soon as an attacker is identified by one of these methods their IP address should be blocked, preferably in an automated fashion. Everything that is needed to identify and stop an attack of this nature is all right there in as little as a single log entry on the Web server."
We also talked with Troy Gill, a security analyst at AppRiver. He told us that although technically no accounts have been hacked, he's sure they could be very quickly.
"It seems that the hacker has stolen a huge database of 6.5 million passwords," Gill said. "The good news is that the passwords are encrypted using SHA-1, which means the hacker will still have to exert some effort to crack them, but strong and complex passwords will take a much greater amount of time and resources than a simple password.
"Therefore, those with a complex and lengthy password will be much safer than those without. In addition, the validity of the list is still unconfirmed by LinkedIn and there is currently no evidence that the hacker obtained corresponding user names along with the passwords."