A breach of the LinkedIn social networking site has led to the release of 6.4 million hashed emails with corresponding passwords. LinkedIn has confirmed that this breach occurred and that the data dump is valid. LinkedIn staff has noted that members with affected accounts will notice that their password is no longer valid. According to LinkedIn’s blog, affected members will also receive an email (without links) containing instructions for resetting your password.
An attacker with knowledge of the SHA-1 hashing algorithm could perform a brute force attack against the hashed records to retrieve the plain text information. If the plain text information is retrieved, attackers could then attempt a mass phishing campaign using the email addresses they’ve deciphered. Attackers could also use the passwords obtained from this compromise to attempt to log into other services which may be using the same password. Examples include other social networking sites such as Facebook or possibly corporate resources such as web accessible e-mail.
All LinkedIn users are urged to change their passwords immediately via the LinkedIn website. If a LinkedIn password was used on other sites or accounts, that password should be changed immediately. Users are reminded user different passwords for different accounts and to never use a work password on other other accounts. Due of the possibility of phishing, users should be wary of emails purporting to be from LinkedIn, especially emails regarding password changes or account information. Emails from LinkedIn regarding password or account changes will not contain links. (See LinkedIn¹s blog for further details).