LONDON (AP) — Business social network LinkedIn and online dating service eHarmony said Wednesday that some of their users' passwords were stolen and millions appear to have been leaked onto the Internet.
LinkedIn
Corp. did not say how many of the more than six million passwords that
were distributed online corresponded to LinkedIn accounts. In a blog
post Wednesday, the company said it was continuing to investigate.
Graham Cluley, a consultant with U.K. Web security company Sophos, recommended that LinkedIn users change their passwords immediately.
LinkedIn
has a lot of information on its more than 160 million members,
including potentially confidential information related to jobs being
sought. Companies, recruiting services and others have accounts
alongside individuals who post resumes and other professional
information.
Later Wednesday,
eHarmony said the passwords of a "small fraction" of its users had been
compromised. The site, which says it has over 20 million registered
online users, did not say how many had been affected. But tech news site
Ars Technica said it found about 1.5 million passwords leaked online
that appeared to be from eHarmony users.
The dating service said
on its blog that it had reset the passwords of the affected users, who
would receive an email with instructions on how to set new passwords. It
recommended all its users adopt "robust" passwords.
There's added
concern that many people use the same password on multiple websites, so
whoever stole the data could use the information to access Gmail,
Amazon, PayPal and other accounts, Cluley said.
Before
confirming the breach, LinkedIn issued security tips as a precautionary
measure. The company said users should change passwords at least every
few months and avoid using the same ones on multiple sites.
LinkedIn
also had suggestions for making passwords stronger, including avoiding
passwords that match words in a dictionary. One way is to think of a
meaningful phrase or song and create a password using the first letter
of each word.
Cluley said hackers are working together to break the encryption on the passwords.
"All
that's been released so far is a list of passwords and we don't know if
the people who released that list also have the related email
addresses," he said. "But we have to assume they do. And with that
combination, they can begin to commit crimes."
It wasn't known who was behind such an attack.
LinkedIn's
blog post had few details about what happened. It said compromised
passwords have been deactivated, and members with affected accounts will
be sent emails with further instructions.
While the passwords
appear to be encrypted, security researcher Marcus Carey warned that
users should not take solace from such security measures.
"If
a website has been breached, it doesn't matter what encryption they're
using because the attacker at that point controls a lot of the
authentication," said Carey, who works at security-risk assessment firm
Rapid7. "It's 'game over' once the site is compromised."
Cluley
warned that LinkedIn users should be careful about malicious email
generated around the incident. The fear is that people, after hearing
about the incident, would be tricked into clicking on links in those
emails. Instead of getting to the real LinkedIn site to change a
password, it would go to a scammer, who can then collect the information
and use it for criminal activities.
LinkedIn said its emails will not include any links.
Shares of LinkedIn, which is based in Mountain View, Calif., gained 8 cents to close Wednesday at $93.08.
EHarmony is a private company based in Santa Monica, Calif.
Resource : Yahoo News
No comments:
Post a Comment