6.5 million LinkedIn passwords leaked by Russian hackers

Are you a LinkedIn user? If so, you might want to change your passwords, as 6.5 million passwords belonging to users of the business-centric social network have been leaked onto a Russian hacking forum. The dump contained unsalted passwords hashed using the SHA-1 encryption system, meaning that they are easily decryptable using online tools. No other information has been released, but it is possible that usernames and passwords were also compromised during the attack. Remarkably, LinkedIn’s share price ended the day up 0.09%, only to fall in after hours trading.

In a blog post regarding the attack and password dump, LinkedIn’s Vincente Silveira explained how the company plans to deal with the compromised accounts, which make up for a small fraction of the network’s reported 161 million users.

We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:

  1. Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
  2. These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link.
  3. These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.

It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.

We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously. If you haven’t read it already it is worth checking out my earlier blog post today about updating your password and other account security best practices.

To find out if your password is included in the list, head to LeakedIn which will take your password and hash it using the same SHA-1 encryption, before checking for presences of that hash in the list of passwords. Mercifully mine was not published, but the Digixav offices do have a number of passwords in the leak. Buzzfeed’s John Herrman used the tool to check for some possible passwords, both common and hilarious, and created a list of the best 23. Even if you are not affected by this attack, it should serve as a good reminder to constantly change your passwords and make them unique, but not to make them anything like these.

Advertisements

Anonymous bring down the CIA site

Anonymous are at it again, and this time the CIA are in the firing line.

Tech

Hacking group Anonymous has apparently claimed credit for knocking the Central Intelligence Agency’s website offline. An update at the YourAnonNews Twitter account reads:

CIA TANGO DOWN: https://www.cia.gov/#Anonymous (via @RT_America)

Sure enough, as of 4:16pm ET on Friday, the CIA.gov website isn’t loading. RT.com reports that the site was initially taken down around 3:10pm ET.

Anonymous has recently claimed takedowns of sites belonging to the Boston Police Department, the FBI, the DOJ, the U.S. Copyright Office and two of Brazil’s largest banks.

The group also recently intercepted a conference call between the FBI and Scotland Yard, which entailed cybercrime investigators discussing Anonymous’ activities.

[via AFP]

READ MORE:

View original post 9 more words

O2 security flaw potentially lets every website access your phone number (updated: O2 react)

If you are on O2 or any MVNO that uses their network such as Giffgaff or Tesco Mobile, now is the time to be worried. It has emerged that the network is sending mobile numbers in plaintext to every website you visit as part of the header data. This could potentially allow sites to collect these numbers and do all kinds of things with them. Lewis Peckover has created a page to check for and display such information, and so far only O2 and their MVNOs have been displaying the number. Peckover says on the site:

To answer some questions and responses I’ve seen – no, it’s not anything client-side. O2 seem to be transparently proxying HTTP traffic and inserting this header. Another annoying feature of O2 is that they interfere with the responses from servers too. They downgrade all images and insert a javascript link into the HTML of each page. I’ve talked to customer service about this lovely feature several times, but they never have a clue what I’m talking about, let alone any idea how to opt out/disable it.

We don’t know why this is happening, but until O2 fully understand the problem of why this sensitive data is so easily accessible and how to solve it, be careful of any suspicious sites that may pop up. If you are not on O2 but still see your number in the header, let us know or tell Peckover on Twitter.

Update: Which? Magazine contacted the Information Commissioner’s Office, who had this to say:

Keeping people’s personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website. We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.

Update 2: O2 have confirmed that this happened over their 3G and WAP networks due to accidental routine maintenance on January 10th. They have reported themselves to Ofcom and released this statement/Q&A.

O2 mobile numbers and web browsing

Security is of the utmost importance to us and we take the protection of our customers’ data extremely seriously.

We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners.

We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused.

Below is a set of Q&As, to answer questions we’ve been receiving. If you have further questions, do leave them in the blog comments and we will do our best to answer as many as possible.

Q: What’s happened with O2 mobile numbers when I browse the internet on my mobile?

A: Every time you browse a website (via mobile or desktop), certain technical information about the machine you are using, is passed to website owners. This happens across the internet, and enables website owners to optimise the site you see. When you browse from an O2 mobile, we add the user’s mobile number to this technical information, but only with certain trusted partners. This is standard industry practice. We share mobile numbers with selected trusted partners for 3 reasons: 1) to manage age verification, which manages access to adult content, 2) to enable third party content partners to bill for premium content such as downloads or ring tones that the customer has purchased 3) to identify customers using O2 services, such as My O2 and Priority Moments. This only happens over 3G and WAP data services, not WiFi.

Q: How long has this been happening?

A: In between the 10th of January and 1400 Wednesday 25th of January, in addition to the usual trusted partners, there has been the potential for disclosure of customers’ mobile phone numbers to further website owners.

Q: Has it been fixed?

A: Yes. It was fixed as of 1400 on Wednesday 25th January 2012.

Q: Which of my information can website owners access?

A: The only information websites had access to is your mobile number, which could not have been linked to any other identifying information we have about customers.

Q: Why did this happen?

A: Technical changes we implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site.

Q: Which customers were affected?

A: It affected customers accessing the internet via their mobile phone on 3G or WAP services, but not WiFi, between 10th of January and 1400 on Wednesday the 25th of January.

Q: Which websites do you normally share my mobile number with?

A: Only where absolutely required by trusted partners who work with us on age verification, premium content billing, such as for downloads, and O2’s own services, have access to these mobile numbers.

Q: The Information Commissioner said he is investigating – what are you doing as part of this?

A: We are in contact with the Information Commissioner’s Office, and we will be co-operating fully. We have also contacted Ofcom.