BOSTON/NEW YORK (Reuters) - Social networking site LinkedIn and online dating service eHarmony warned that some user passwords had been breached after security experts discovered scrambled files with passwords for millions of online accounts.
The two companies declined to say how many accounts had been breached when they disclosed the breaches in statements issued on Wednesday.
They only said they were conducting investigations.
The breaches are the latest in a string of high-profile attacks around the world that have put personal information of millions at risk. The release of information stolen from the intelligence analysis firm Stratfor in December included data belonging to former U.S. Vice President Dan Quayle and former Secretary of State Henry Kissinger.
Mary Landesman, senior researcher with messaging security firm Cloudmark, said that a hacker who has access to somebody’s LinkedIn credentials along with their eHarmony account might be in a good position to commit extortion.
“When somebody has the keys to your business and personal kingdom, that gives them all sorts of powerful information,” she said. “They might be able to use it for years.”
The technology news site Ars Technica reported on Wednesday that a total of 8 million encrypted passwords were published on underground forums by a hacker known as ‘dwdm’, who was seeking help unscrambling them.
It was not clear whether all 8 million of the passwords belonged to users of LinkedIn and eHarmony, or if the hacker had stolen an even larger number of credentials and just posted some of them on the site.
LinkedIn, which made its stock debut last year, is a social media company that caters to companies seeking employees and people scouting for jobs. It has more than 161 million members worldwide. One of the Mountain View, California-based company’s main initiatives is to grow internationally - 61 percent of its membership is located outside the United States.
Santa Monica-based eHarmony, which has more than 20 million registered online users, said in a blog post that it has reset affected members passwords. The company said those members will receive an email with instructions on how to reset their passwords.
Marcus Carey, security researcher at Boston-based Rapid7, said he believed the attackers had been inside LinkedIn’s network for at least several days, based on an analysis of the type of information stolen and quantity of data posted on forums.
“While LinkedIn is investigating the breach, the attackers may still have access to the system,” Carey warned. “If the attackers are still entrenched in the network, then users who have already changed their passwords may have to do so a second time.”
The files included only passwords and not corresponding email addresses, which means that people who download the files and decrypt, or unscramble, the passwords will not easily be able to access any accounts with compromised passwords.
Yet analysts said it is likely that the hackers who stole the passwords also have the corresponding email addresses and would be able to access the accounts.
At least two security experts who examined the files containing the LinkedIn passwords said the company had failed to use best practices for protecting the data.
The experts said that LinkedIn used a vanilla or basic technique for encrypting, or scrambling, the passwords which allowed hackers to quickly unscramble all passwords after they figured out the formula by which any single password had been encrypted.
The social network could have made it extremely tedious for the passwords to be unscrambled by using a technique known as “salting”, which means adding a secret code to each password before it is encrypted.
“What they did is considered to be poor practice,” Landesman said.
LinkedIn officials declined to comment on the criticism, saying it was discussing the breach only on its official blog.
LinkedIn engineer Vicente Silveira said in a blog that the company had instituted new security measures to protect customer passwords, including the use of salting techniques.
The breach at LinkedIn comes after a security researcher last year warned that the company had flaws in the way it managed communications with browsers to authorize logins, making accounts more vulnerable to attack. The company responded by tightening its procedures for logins.
LinkedIn was co-founded by former PayPal executive Reid Hoffman in 2002 and makes money selling marketing services and subscriptions to companies and job seekers.
LinkedIn shares closed 8 cents higher at $93.08 on Wednesday.
Additional reporting by Sakthi Prasad; Editing by Leslie Gevirtz, Carol Bishopric and Richard Pullin