Reprinted from TidBITS by permission; reuse governed by Creative Commons license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary on Apple and Internet topics. For free email subscriptions and access to the entire TidBITS archive, visit http://www.tidbits.com/ LinkedIn Logins Stolen, Change Your Password Now Jeff Carlson If you use the networking site LinkedIn, change your password immediately. A hacker stole the details for 6.5 million logins and made them available online. [1]In a statement, LinkedIn acknowledged the problem, and outlined steps to notify affected customers in its ongoing investigation into what happened. The plain text of passwords wasn't revealed, but many people remain at risk. Lex Friedman at Macworld [2]offers more details about the situation, including a problem with the LinkedIn iOS app scraping private data from calendar events. You can check whether you password was pilfered by using FictiveKin's [3]LeakedIn.org, which will convert your plain-text password into the cryptographically scrambled form used in LinkedIn's database. However, we don't recommend that you type in your plain-text password on another site! Instead, launch Application > Utilities > Terminal, and type in the following to turn your password into the format needed: echo -n 'plain-text password' | openssl sha1 Now use the resulting text, which will look like 217e0428f0a8f78abe5066ae4f84a4a83a36b375, to see if you were leaked. LinkedIn appears to have stored passwords only in a protected form, unlike so many previous login hijacks in which we discovered firms leave our critical data in plain-text form. But that doesn't mean you're not at risk. LinkedIn 'hashes' the password, as we at TidBITS and most sites do, which creates a sort of cryptographic signature (the 'hash'). Such hashes aren't reversible ' knowing the hash doesn't get you the password ' but can be used in brute force attacks. An attacker can work through a list of common passwords and random short entries and compare them against the hash list to see which match. If you've used 12345678 or password, your number is up. To set a new password, log in to LinkedIn, click your name in the upper-right corner of the page, choose Settings from the menu that appears, click the Account tab in the lower-left of the page, and then click Change Password. We always recommend setting a strong password that's a mix of letters and numbers (and even punctuation if the site supports it), and using a password safe such as [4]1Password so that you don't have to remember or store passwords in an insecure manner. [5][tn_LinkedIn.jpg] Equally important is to change your passwords for any other sites that you may have set up with the same login, because that information is now being shared by malevolent people who use it to try to access other sites' accounts. I set up a LinkedIn account years ago and rarely use the site, so it's likely that I re-used the same password somewhere else at the time ' a big no-no. For every site that requires a login, you should have a unique password. I generate secure passwords and track them all using 1Password and recommend you do the same. References 1. http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/ 2. http://www.macworld.com/article/1167113/linkedin_privacy_issues_possible_password_breach_ios_app_data_leak.html 3. http://leakedin.org/ 4. https://agilebits.com/onepassword 5. http://tidbits.com/resources/2012-06/LinkedIn.png .