After hackers posted millions of encoded LinkedIn passwords to a Russian hacker site on Wednesday, criminals used news of the breach to trick unsuspecting users into downloading malware that can be used to extract financial gain.

LinkedIn posted the following message on their blog, yesterday:

We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:

• Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
• These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link.
• These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.

Shortly after the breach surfaced, LinkedIn users began receiving e-mails from what, at first glance, looked like LinkedIn. The e-mails asked users to confirm their e-mail address by clicking on an embedded link. But the link took users to scam sites, such as an illegal online pharmaceutical site that sells Viagra and other products.

Several security researchers confirmed that the e-mails were scams and advised users to avoid clicking on any links in e-mails from LinkedIn and to only navigate to the site by typing LinkedIn.com directly into their browsers.

If users have not already, they should immediately change their LinkedIn password and the password to any other site where they might have used the same password.

Some 6.46 million LinkedIn encrypted passwords were reportedly hacked. The passwords, including many that could be considered strong, have been decrypted, either through brute force or through lookups.

The primary cause is LinkedIn’s failure to properly ’salt’ the hashed passwords using SHA-1 encryption, according to ZDNet. Designed by the United States National Security Agency and published by the United States NIST as a U.S. Federal Information Processing Standard, SHA stands for “secure hash algorithm.

MD5 encryption is “no longer considered safe” by the original software developer. Danish developer Poul-Henning Kamp, who developed the widely used MD5 password hash algorithm, said that limitations to his software and a corresponding increase in computing power since its initial release has rendered algorithm obsolete. The MD6 Message-Digest Algorithm is a more secure follow-on.

Posted by Sam Churchill on Thursday, June 7th, 2012 at 5:32 am .