It seems the Iron Curtain may be re-emerging this week as Russian hackers first disclose 6.5m passwords from Linkedin, followed by 1.5m passwords from eHarmony, and then Last.fm with an undisclosed volume. Needless to say, there will be yet more sites added to this sorry list in the coming weeks. Customers are understandably concerned and annoyed. This is a security breach on a grand scale, and the set of circumstances by which the public have become aware of it are quite interesting to say the least.
It began with Linkedin when the alleged hacker published a list of 6.5m encrypted passwords online. One may ask why he did this? The answer is quite sinister. He needs help from the hacker community. He is attempting to crowdsource computing power with which to decrypt the passwords. By employing a ‘brute force’ method it becomes possible to decipher such passwords, but the computing power required is considerable. By appealing for assistance, such requirements are shared, and decrypted passwords will reveal themselves in a much shorter amount of time. This is further helped by the revelation that the encryption method used by Linkedin was not as secure as it should be and falls somewhat short of industry accepted best practices.
A number of people jumped to the defence of Linkedin, claiming it may be a hoax, and that the encrypted passwords were not associated with any user accounts – what use is a password if you don’t know who it belongs to? However this is fairly niaive as it is more than likely the hacker has those details and has chosen not to release them, after all, it is only the password decryption he needs help with.
We managed to obtain the file the hacker was sharing and were able to determine various common password combinations that people tend to still use, such as ‘password’, ‘passw0rd’ and ‘123abc’. When we achieved this, and with no official word from Linkedin acknowledging that a hack had taken place, things started to look serious.
Eventually, over 24 hours after news had broken, Linkedin acknowledged some sort of security breach, forcing password changes for those they believe had been leaked. It appears Linkedin has gone to great lengths to play down what we consider indefensible. Logging onto the site this morning I was presented with a brief message about it at the top of the screen which I intended to read after I had accepted some invitations. Unfortunately it was not there when I returned! It looks to me that Linkedin is more concerned at making as little noise about this as possible as opposed to being concerned about the security of its customers.
Unfortunately this won’t be the last time something like this happens, so you need to do all you can to protect yourself. Here are our recommendations for staying secure online:
- Use a different password for every site. This may sound like a bind, but it is really important. If your Linkedin password was compromised and you use it for every site you access on the Internet, those accounts may well get hacked, even if those sites are secure. Use a password keeper on your mobile or desktop to keep track of all of your passwords rather than trying to remember them.
- Use a ‘strong’ password. A strong password is one that is difficult to decrypt by brute-force means. It has nothing to do with how easy a person might be able to guess it. You can make your password strong by making it long, by using a combination of uppercase and lowercase characters, use symbols, and don’t use anything that looks like a word, phrase or can be Googled.
- Periodically change your passwords. We’ll explain the significance of this below.
We only know about these immense data breaches because the hackers have shown us what they have done (or more scarily, a fraction of what they have done). It is not unreasonable to expect that were it not for this publicity, the hacked sites may want to keep the data breach quiet. It is not unreasonable to believe that data breaches may have occurred on other popular sites and we are none the wiser about it, hence the importance of changing your passwords periodically.
If you use any of the sites mentioned in this article and have not already done so, change your passwords now. Have you been inconvenienced by this, or have you had an account unlawfully exploited by hacker? Let us know below.