Your online job resume may not be so secure, with business networking site LinkedIn confirming that user passwords were stolen and uploaded online.
A file containing 6,458,020 hashed user passwords appeared on a Russian forum earlier today. The file did not contain any usernames with the passwords and it is unknown whether that information was obtained as well.
LinkedIn investigated the file and in a blog post confirmed that it contains actual user passwords.
"We want to provide you with an update on this morning's reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts."
The passwords in the uploaded file are stored as unsalted SHA-1 hashes. While SHA-1 is generally a secure algorithm, it can still be decrypted.
The password hashes also lack an extra layer of encryption that is provided by salting, which helps to protect against common hacking attempts from a list of likely passwords, known as a dictionary attack.
Are you at risk?
LinkedIn has taken three steps in response to the attack.
First, effected passwords have been invalidated. This means that users whose passwords are part of the file will have a prompt to change their password next time they sign in to LinkedIn.
Second, an email has been sent out to those users explaining the password reset process. LinkedIn notes that these emails will not include any links, and will have users requesting password assistance to ensure that uses distinguish it from potential scams due to the stolen passwords.
Finally, those users will receive a second email further explaining the situation regarding why their password needs to be reset.
LinkedIn also confirmed that it has put in place new security measures that include salting and hashing its existing password databases.
For help coming up with a new password, check out our guide on how to make your password more secure.
