On Wed, Jun 6, 2012 at 9:33 PM, Lynda <shr...@deaddrop.org> wrote: > Sorry to be the bearer of such bad tidings. Please note that I'm doing a > quick copy/paste from a notification I received. I've edited it a bit. > > Please note that LinkedIn has weighed in with a carefully worded blog post: > > http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/ > > Further details: > 1. The leak took place on June 4 > 2. LinkedIn was using unsalted SHA-1 for their password store.
Raising the issue of why Linkedin hasn't adopted the latest security wrinkles from 1978. ( http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps ) > 3. FYI, there are two lists. The second one appears to be from eHarmony. > Unsalted MD5 used there. Ditto. Normally I would complain about the use of MD5, but what's the point. Regards Marshall > 4. The posted passwords are believed to be ones the cracker wanted help > with, i.e., they have significantly more already cracked. > > Apparently phishing emails are already active in the wild based on the > crack: > > http://bits.blogs.nytimes.com/2012/06/06/that-was-fast-criminals-exploit-linkedin-breach-for-phishing-attacks/ > > In other words, if you have a LinkedIn account, expect that the password has > been stolen. Go change your password now. If you used that password > elsewhere, you know the routine. In addition, as has been pointed out > elsewhere, there's no sign LI has fixed the problem. Expect that the > password you change it to will also be compromised. > > :-( > > -- > A picture is worth 10K words -- but only those to describe > the picture. Hardly any sets of 10K words can be adequately > described with pictures. > >
