No matter if your password is on the list or not, Pack recommends changing your LinkedIn password to a strong password that has a combination of numbers, as well as upper and lowercase letters. He recommends against using common words found in a dictionary for a password.
As of now, there is no evidence that there is any link between the hashed passwords and which users those passwords belong to, but Pack says that too should not be taken for granted. It’s possible that whoever released the data could have access to user information linked to those passwords.
Gene McCully, president of StackFrame, a computer software and security firm in Florida, searched and found his unique password in the database. He’s surprised LinkedIn did not modify the passwords using a technique called “salting” to further protect the passwords. “If it had been salted, it would have made it a less dangerous leak,” he says. Salting is the process of adding user-specific data to hashed passwords, making it harder to convert the hashes into the actual password.
“That’s one of the most shocking things of this whole situation is that there are unsalted passwords,” says Pack. “It says a lot about the overall security of the site.”Without salted passwords, hackers can perform fairly simple SQL-injection attacks, which use web applications to gain insight into a database. In the company’s blogpost confirming the breach on Tuesday, LinkedIn officials say they have “just recently” added salting and hashing to the company’s current password databases.
Sign up for MIS Asia eNewsletters.