Follow us on RSS or Twitter for the latest updates.

June 7, 2012

How to Check If Your LinkedIn Password Was Stolen


Worried that your LinkedIn password may be a part of the nearly 6.5 million compromised on Wednesday? Password management firm LastPass has released a secure tool to see if your password was among the stolen.

linkedin.PNG

News first surfaced about the security breach after a Russian hacker said he stole 6,458,020 encrypted LinkedIn passwords and posted them online (without usernames) to prove his feat. The breach comes on the heels of news that LinkedIn’s iOS app potentially violates user privacy by sending detailed calendar entries to its servers.

LinkedIn confirmed that some passwords had become compromised and said it would contact affected users with details on how to change their password

Although usernames associated with the passwords were not released, the passwords themselves will surely be used to help reverse-engineer other cryptography systems. We also expect to see these passwords added to dictionary lists of programs that attempt to break into various accounts.

In other words — if you’re a LinkedIn user, no matter how strong your password seemed — it’s a good idea to go ahead and change it.

How This Works

If you’re a cynical web user when it comes to privacy and security — of course you are, right? — then you’re probably asking yourself whether or not a site where you type in your password to see if it’s been compromised could possibly be legit. But the folks at LastPass ensure that the tool is safe and does not store passwords.

Here’s how it works: After typing your LinkedIn password into LastPass’s tool, the service computes its SHA-1 hash and sends the result to LastPass.com. It then searches the list of 6.5 million leaked password hashes.

“All that’s communicated to LastPass is the hash ‚Äî the result of the one-way function performed on the password that a user enters in that box,” a LastPass spokesperson said. “So let’s say you enter ‘password1.’ You enter it and the tool performs the hashing algorithm. The hash is then sent to LastPass, and if a match is found in the database (of the 6.46 million leaked hashes) on our end, we report back a message saying that your password was compromised.”

The spokesperson also noted that the hashes are not stored on its servers: “We don’t store the hash on our end. We only perform the check and then delete it.”

Change Your Password

If your password is among the millions stolen, you should not only change it as soon as possible but also update other accounts you have that use the same password.

If you aren’t already using a password management tool — it’s time to start considering one. Tools such as LastPass and 1Password are invaluable in helping users create and manage unique, secure passwords.

Has your password been compromised? Let us know in the comments.