Social networking site LinkedIn and online dating service eHarmony are warning that some user passwords have been breached after security experts discovered scrambled files with passwords for some 8 million online accounts, according to a report from Reuters.
The two companies declined to say exactly how many accounts had been breached when issuing an initial statement Wednesday, instead only saying that they were conducting investigations, the report says.
Technology news site Ars Technica reported on Wednesday that a total of 8 million encrypted passwords were published on underground forums by a hacker known as “dwdm,” who was requesting help to unscramble the files, according to Reuters.
It was not clear whether all 8 million passwords belonged to LinkedIn or eHarmony users, or if the hacker had in fact stolen an even large number of credentials and hadn’t posted them all, the article says. The files only included passwords, not email addresses, meaning that anyone who downloaded and unscrambled the files would still have a difficult time accessing accounts.
However, according to Reuters, analysts say that it is likely that the hackers who stole the passwords initially also have the corresponding email addresses and would be able to access the accounts.
Mary Landesman, senior researcher with messaging security firm Cloudmark, said that a hacker with access to someone’s LinkedIn and eHarmony account might be in a good position to commit extortion, the article reports.
“When somebody has the keys to your business and your personal kingdom, that gives them all sorts of powerful information,” she said in the article. “They might be able to use it for years.”
Security experts examining the breach say that LinkedIn was not using the best practices for protecting the data, claiming that the company used a vanilla or basic technique for encrypting passwords, which allowed hackers to quickly unscramble them after they figure out the generic formula used for all of the credentials, Reuters reports.
The site could have made unscrambling passwords much more tedious by using a technique known as “salting,” or adding a secret code to each password before it is encrypted, the article says.
Neither site is commenting on the criticism, but both are recommending that users change their passwords immediately.