After hackers posted millions of encoded LinkedIn passwords to a Russian hacker site on Wednesday, criminals used news of the breach to trick unsuspecting users into downloading malware that can be used to extract financial gain.
LinkedIn posted the following message on their blog, yesterday:
We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
Shortly after the breach surfaced, LinkedIn users began receiving e-mails from what, at first glance, looked like LinkedIn. The e-mails asked users to confirm their e-mail address by clicking on an embedded link. But the link took users to scam sites, such as an illegal online pharmaceutical site that sells Viagra and other products.
Several security researchers confirmed that the e-mails were scams and advised users to avoid clicking on any links in e-mails from LinkedIn and to only navigate to the site by typing LinkedIn.com directly into their browsers.
If users have not already, they should immediately change their LinkedIn password and the password to any other site where they might have used the same password.
Some 6.46 million LinkedIn encrypted passwords were reportedly hacked. The passwords, including many that could be considered strong, have been decrypted, either through brute force or through lookups.
The primary cause is LinkedIn’s failure to properly ’salt’ the hashed passwords using SHA-1 encryption, according to ZDNet. Designed by the United States National Security Agency and published by the United States NIST as a U.S. Federal Information Processing Standard, SHA stands for “secure hash algorithm.
MD5 encryption is “no longer considered safe” by the original software developer. Danish developer Poul-Henning Kamp, who developed the widely used MD5 password hash algorithm, said that limitations to his software and a corresponding increase in computing power since its initial release has rendered algorithm obsolete. The MD6 Message-Digest Algorithm is a more secure follow-on.