Operating System:

[WIN][UNIX/Linux][Mobile]

Published:

07 June 2012

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ASB-2012.0083 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0083
                   LinkedIn Member Passwords Compromised
                                7 June 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              LinkedIn
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
                      Mobile Device
Impact/Access:        Access Privileged Data -- Existing Account
Resolution:           Mitigation
Member content until: Saturday, July  7 2012

OVERVIEW

        LinkedIn, a social networking site used by professionals, has 
        confirmed that some accounts it manages have been compromised. 
        6.5 million password hashes are alleged to have been stolen, with 
        approximately 60% of the hashes being cracked. The stolen passwords 
        are circulating in public.


IMPACT

        The vendor has provided the following details about this incident:
                
        "We are continuing to investigate this situation and here is what we are 
         pursuing as far as next steps for the compromised accounts:
                
          * Members that have accounts associated with the compromised passwords 
            will notice that their LinkedIn account password is no longer valid.
                
          * These members will also receive an email from LinkedIn with 
            instructions on how to reset their passwords. There will not be 
            any links in this email. Once you follow this step and request 
            password assistance, then you will receive an email from LinkedIn 
            with a password reset link.
                
          * These affected members will receive a second email from our 
            Customer Support team providing a bit more context on this 
            situation and why they are being asked to change their 
            passwords." [1]
                
        A stolen LinkedIn account will give access not only to personal, 
        contact, email and other details within LinkedIn itself, but where such 
        a service has been established, will also give access to a related 
        Twitter account. It may also give access to any accounts that 
        LinkedIn applications have access to. eg. WordPress, Box.net, GitHub


MITIGATION

        Log into LinkedIn and change your password. The new password should be 
        unrelated to the previous one, and different from work related 
        passwords.
                
        Refer to AusCERT password selection reference. [2]


REFERENCES

        [1] An Update on LinkedIn Member Passwords Compromised
            http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/

        [2] Choosing good passwords
            http://www.auscert.org.au/render.html?it=2260

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT9AHu+4yVqjM2NGpAQI3VQ//dRoYGi7IGRc3aKlHTcQtbBvH2fIsaSS/
8MV0yFjjGZDZeWp1wOKT8yxQWlXs8FBs9gXHtOZhOiaK3MYiH5GPeS+OFJDRGumo
q0V8gXoNrFEQ2n6KjVR9R+xdTwV5E1tKlHzI+HcI58Ymei0xNFHEShZHW2vpt98P
oDK/3mXEmYqPoFpVnS+826oXHGDAMTZX4quUryCXRjrf1mnlbEqLYXD6e/Rx57wm
TZgHudbQHtB/T+wBXJPAvQk+RxGfe3gZ7XcXuo+V53toJXEqh8ERPWV//GoxUZG7
hPNxyUXzpDrYIUEH8bo43O73yLE1oUQO2MIdJhasD1St3aFAydaeFPXPridpi0xs
AFfbpJDaiIRg7IS1of0/Km8+r8j/dSmXurvPgFXdwKctElgyta0TOxaWUxq3Scab
QZtZGljReMu/kPukaYEPMYLhkQkBhcpbqHtbljduUdayrzsGtjkzcxTohEu/sx/3
FzA214OuDfm9/+B84N52r24LyE0Va0HSlowX0fjqbbphUUhCpqciHKyHFzGHvgKi
2e72QlKbncJcBSnCPGij4PCt8r2yjIHNES992BzanxPfTyHvXv8sNJ03AJudsgkC
Wh5+sjp0cg3jILDPDDrFyfY3yVBEh342sAcEC+RVPlTCvaMok3xOKigS0F2fNgD6
dnjXb0Q+6Kc=
=h1fW
-----END PGP SIGNATURE-----