If you have a LinkedIn account, it’s time to change your password.
As my colleague Zack Whittaker at ZDNet reports, roughly 6.5 million user passwords have apparently been downloaded and made publicly available.
Graham Cluley of security firm Sophos says his company’s researchers have confirmed that the list contains actual passwords.
Via its Twitter account, LinkedIn says it is “looking into” the issue.
Let’s put this breach in perspective:
- Only a small percentage of LinkedIn users are affected. The 6.5 million accounts on the list represent a fraction of LinkedIn’s total user base of 150 million.
- The stolen passwords are hashed, which means they have to be decrypted before they can be used. The stronger your password, the longer it will take for that decryption to happen.
So the odds are low that you have been affected by this breach. But as a basic security precaution you should change your LinkedIn password immediately. And if you used those same credentials on other web sites, you should change the password there as well. (Hint: this time choose a unique, strong password for each one.)
To change your password, go to LinkedIn.com and sign in. Click your name in the upper right corner and then click Settings. That will take you to this page:
You can use the Password Change option just below your account picture and email address. Or, if you want to adjust more settings, click Account in the lower right corner to display the options shown above, and then click Change password.
Enter your old password, then enter your new, strong, unique password (and re-enter it to confirm).
You’re done with LinkedIn. But if you’ve used that password with any other account—especially for well-known services like Dropbox, Gmail, Facebook, or for e-commerce sites like Amazon or PayPal—you need to reset those passwords too, or you risk having those other accounts compromised by an enterprising data thief.
And be prepared to change your LinkedIn password again in the near future, after we learn more about what happened here and determine whether any additional credentials have been stolen.
Update: Security researcher Robert Graham confirms the password dump is real. He also adds this fascinating note:
[I]f your password is long enough (like greater than 15 characters) and complex enough, then it’s still probably safe. A 15 character SHA-1 password composed of upper/lower case with symbols and digits is too large for “brute-force” and “rainbow tables”. However, if you’ve composed it of dictionary words, then it could fall to a “mutated dictionary” attack.
This is a sorted list of unique passwords. Thus, if 50 people use the password “password“, it’ll only show up once in this list. Which it does. The password of “password” is hashed using SHA-1 to “5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8“, which appears as “000001e4c9b93f3f0682250b6cf8331b7ee68fd8” in this list.
Given what we know of people’s password habits, it’s reasonable to assume that there are millions of easy-to-guess passwords (password clichés like 123456 and letmein, as well as words found in a standard dictionary), so the actual number of passwords should be less than the number of accounts. It’s unclear whether the passwords on this list are matched up with the email address that comprises the other half of the login credentials.