Business social networking site LinkedIn and online dating service eHarmony warned that some of their users’ passwords had been breached. Millions passwords appear to have been leaked onto the Internet.
A Russian forum user by the name of “dwdm” claims he has hacked LinkedIn, uploading 6,458,020 encrypted passwords (without usernames) as proof, according to Mashable.
The stolen passwords are circulating in the form of a cryptographic “hash,” reports The Telegraph, which converts text into a seemingly random string of numbers and letters using a mathematical formula.
The hacker appealed for help from fellow hackers to crack the hashes and access the original passwords on Tuesday. By Wednesday morning they claimed to have revealed hundreds of thousands.
Both companies declined to say how many accounts had been breached when they disclosed the breaches in statements issued on Wednesday, writes Reuters.
LinkedIn, which made its stock debut last year, is a social network company that caters to companies seeking employees and people scouting for jobs. It has more than 161 million members worldwide who use it to form professional connections and post their CV online.
The company said it was investigating the claims, which spread quickly and began trending on Twitter on Wednesday afternoon.
“Our team is currently looking into reports of stolen passwords. Stay tuned for more,” the company posted on Twitter.
Later one more post appeared: “Our team continues to investigate, but all this time, we’re still unable to confirm that any security breach has occured. Stay tuned here.”
“While LinkedIn is investigating the breach, the attackers may still have access to the system,” Marcus Carey, security researcher at Boston-based Rapid7, warned.
“If the attackers are still entrenched in the network, then users who have already changed their passwords may have to do so a second time,” he added.
At the same time experts claim that the company had failed to use best practices for protecting the data.
According to the experts, who examined the files containing the LinkedIn passwords, LinkedIn used a vanilla or basic technique for encrypting, or scrambling, the passwords which allowed hackers to quickly unscramble all passwords after they figured out the formula by which any single password had been encrypted.
Santa Monica-based dating service eHarmony, which has more than 20 million registered online users, said in a blog post that it has reset affected members passwords.
“After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected,” eHarmony wrote on its blog. “We are continuing to investigate… as a precaution, we have reset affected members passwords.”
The company said the affected members will receive an email with instructions on how to reset their passwords.
“Please be assured that eHarmony uses robust security measures, including password hashing and data encryption, to protect our members’ personal information,’ the company added. “We also protect our networks with state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches.”
“All that’s been released so far is a list of passwords and we don’t know if the people who released that list also have the related email addresses,” Graham Cluley, a consultant with U.K. Web security company Sophos, said. “But we have to assume they do. And with that combination, they can begin to commit crimes.”
There is also a concern that a lot of people prefer to use the same password for more than one site. So LinkedIn users had better change their passwords right now. Furthermore, if you used that password on any other online service, it is recommended that you change those passwords as well.