Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0083 LinkedIn Member Passwords Compromised 7 June 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: LinkedIn Operating System: Windows UNIX variants (UNIX, Linux, OSX) Mobile Device Impact/Access: Access Privileged Data -- Existing Account Resolution: Mitigation Member content until: Saturday, July 7 2012 OVERVIEW LinkedIn, a social networking site used by professionals, has confirmed that some accounts it manages have been compromised. 6.5 million password hashes are alleged to have been stolen, with approximately 60% of the hashes being cracked. The stolen passwords are circulating in public. IMPACT The vendor has provided the following details about this incident: "We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts: * Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid. * These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link. * These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords." [1] A stolen LinkedIn account will give access not only to personal, contact, email and other details within LinkedIn itself, but where such a service has been established, will also give access to a related Twitter account. It may also give access to any accounts that LinkedIn applications have access to. eg. WordPress, Box.net, GitHub MITIGATION Log into LinkedIn and change your password. The new password should be unrelated to the previous one, and different from work related passwords. Refer to AusCERT password selection reference. [2] REFERENCES [1] An Update on LinkedIn Member Passwords Compromised http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/ [2] Choosing good passwords http://www.auscert.org.au/render.html?it=2260 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT9AHu+4yVqjM2NGpAQI3VQ//dRoYGi7IGRc3aKlHTcQtbBvH2fIsaSS/ 8MV0yFjjGZDZeWp1wOKT8yxQWlXs8FBs9gXHtOZhOiaK3MYiH5GPeS+OFJDRGumo q0V8gXoNrFEQ2n6KjVR9R+xdTwV5E1tKlHzI+HcI58Ymei0xNFHEShZHW2vpt98P oDK/3mXEmYqPoFpVnS+826oXHGDAMTZX4quUryCXRjrf1mnlbEqLYXD6e/Rx57wm TZgHudbQHtB/T+wBXJPAvQk+RxGfe3gZ7XcXuo+V53toJXEqh8ERPWV//GoxUZG7 hPNxyUXzpDrYIUEH8bo43O73yLE1oUQO2MIdJhasD1St3aFAydaeFPXPridpi0xs AFfbpJDaiIRg7IS1of0/Km8+r8j/dSmXurvPgFXdwKctElgyta0TOxaWUxq3Scab QZtZGljReMu/kPukaYEPMYLhkQkBhcpbqHtbljduUdayrzsGtjkzcxTohEu/sx/3 FzA214OuDfm9/+B84N52r24LyE0Va0HSlowX0fjqbbphUUhCpqciHKyHFzGHvgKi 2e72QlKbncJcBSnCPGij4PCt8r2yjIHNES992BzanxPfTyHvXv8sNJ03AJudsgkC Wh5+sjp0cg3jILDPDDrFyfY3yVBEh342sAcEC+RVPlTCvaMok3xOKigS0F2fNgD6 dnjXb0Q+6Kc= =h1fW -----END PGP SIGNATURE-----