- The Washington Times - Wednesday, June 6, 2012

Almost 6.5 million encrypted passwords for the professional networking site LinkedIn were posted online by Russian hackers, the company said Wednesday.

“We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts,” Director Vicente Silveira wrote in a blog post. “We are continuing to investigate.”

The company, which boasts 161 million users in 200 countries, said it has no immediate indication that hackers had compromised its systems, but advised its users to change their passwords immediately.

Although the e-mails and user names associated with the passwords were not included in the posting, “it is reasonable to assume that such information may be in the hands of the criminals,” said Graham Cluley of United Kingdom-based Sophos Security.

“Russian hackers are about to pillage and plunder,” wrote one worried user on the site in response to news of the disclosure.

Access to the passwords would give hackers control of the compromised accounts, which could be used in identity theft or other online scams, warned Thomas Ryan, a New York-based security consultant.

Mr. Ryan said a particular concern are “daisy chain” attacks because many people unwisely use the same password for multiple online accounts.

“If someone has used the same password for a bank or e-mail account, they are vulnerable to daisy-chain attacks,” he said.

The passwords are encrypted, but more than 200,000 already have been deciphered and almost all of them would be crackable in time, warned Mr. Cluley and others monitoring Russian hacker sites.

Some security professionals suggested that the hackers who posted the passwords are seeking help from other site users in decrypting them — a process known as crowdsourcing.

Encryption transforms passwords and user names into meaningless strings of characters. But because the encryption process is standardized, it is possible to guess a password, encrypt it, and then search for that character string in a set of encrypted passwords.

Given enough computing power to make thousands of guesses a second, and enough time, hackers can crack almost any password that uses words from the dictionary or other common character combinations like “123456” or “qwerty.”

Generally experts recommend that passwords be more than eight characters long, contain special characters like an exclamation mark and contain at least one one capital letter. Because an upper-case character is encrypted differently than the lower-case character, using a combination of them makes a password harder to crack.

LinkedIn acknowledged facing cybersecurity threats in a recent filing with the Securities and Exchange Commission. The filing stated that the LinkedIn site had experienced disruptions and even been taken temporarily offline at times by cyberattacks. Future disruptions were possible, the SEC filing warned.