LinkedIn hacker 'also stole 1.5m passwords from dating site eHarmony'
THE computer hacker behind the theft of almost 6.5 million passwords from LinkedIn is also responsible for publishing up to 1.5 million passwords stolen from the popular dating website eHarmony, it has emerged.
The hacker, who posted lists containing a total of 8 million passwords on a web forum run by a company in Moscow that specialises in "password recovery" software, uses the online alias “dwdm”. He appealed to fellow hackers for help converting the passwords into a usable form.
Experts said that the fact that some of the passwords included the phrase “eharmony” indicated they were taken from the online dating website, which has more than 20 million members worldwide.
The firm confirmed that its security had been breached after it was first reported by the technology news website Ars Technica.
“After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected,” it said in a blog post.
It said it would contact affected members and reset their passwords.
The development followed a scramble by LinkedIn members to change their passwords when it emerged hackers were working to “crack” a list of 6.5 million. Many were also urged to change their passwords for other services if they had reused the same one across the web.
The passwords were stolen in “hashed” form, meaning some computing work was required to convert them back into usable passwords. By Wednesday afternoon the hackers said they had already recovered hundreds of thousands.
Following an investigation, LinkedIn admitted its security had been breached late on Wednesday.
“We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts,” said Vicente Silveira, a spokesman for the professional network, whose more than 150 million members worldwide include the Prime Minister.
The firm said it would email affected members and force them to change their password. It also pledged to apply more stringent security measures in future, including storing passwords in a more secure form by “salting” them, which makes it more difficult for hackers to crack them.
Commentators criticised LinkedIn’s security practices, however.
“The passwords weren’t properly protected,” said a spokesman for Imperva, an American security firm.
“Not salting is a bad practice. Salting, in layman’s terms, complicates the process of a hacker cracking a password. Not only do you encrypt the password, but append it with a random string of characters so even if those passwords are revealed, they look like gobbledygook.”
Imperva also claimed that more than 6.5 million people who use LinkedIn could be forced to change their passwords, because the list did not indicate how many members used each one.