LinkedIn, eHarmony Data Breaches May Affect Millions

June 7, 2012

Social networking site LinkedIn and online dating service eHarmony are warning that some user passwords have been breached after security experts discovered scrambled files with passwords for some 8 million online accounts, according to a report from Reuters.

The two companies declined to say exactly how many accounts had been breached when issuing an initial statement Wednesday, instead only saying that they were conducting investigations, the report says.

Technology news site Ars Technica reported on Wednesday that a total of 8 million encrypted passwords were published on underground forums by a hacker known as “dwdm,” who was requesting help to unscramble the files, according to Reuters.

It was not clear whether all 8 million passwords belonged to LinkedIn or eHarmony users, or if the hacker had in fact stolen an even large number of credentials and hadn’t posted them all, the article says. The files only included passwords, not email addresses, meaning that anyone who downloaded and unscrambled the files would still have a difficult time accessing accounts.

However, according to Reuters, analysts say that it is likely that the hackers who stole the passwords initially also have the corresponding email addresses and would be able to access the accounts.

Mary Landesman, senior researcher with messaging security firm Cloudmark, said that a hacker with access to someone’s LinkedIn and eHarmony account might be in a good position to commit extortion, the article reports.

“When somebody has the keys to your business and your personal kingdom, that gives them all sorts of powerful information,” she said in the article. “They might be able to use it for years.”

Security experts examining the breach say that LinkedIn was not using the best practices for protecting the data, claiming that the company used a vanilla or basic technique for encrypting passwords, which allowed hackers to quickly unscramble them after they figure out the generic formula used for all of the credentials, Reuters reports.

The site could have made unscrambling passwords much more tedious by using a technique known as “salting,” or adding a secret code to each password before it is encrypted, the article says.

Neither site is commenting on the criticism, but both are recommending that users change their passwords immediately.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

LinkedIn, eHarmony Data Breaches May Affect Millions

Related Articles

Report Abusive Comment