Professional networking site LinkedIn and dating site eHarmony confirmed yesterday that millions of user passwords have been stolen from their databases and posted on the Internet. If you are a user of either of these services, it's critical that you change your password immediately on these sites, as well as any other sites for which you use the same password, especially for email, banking or other sensitive data.
The breach was identified when the hacker(s) posted the list of 8 million encrypted passwords to a hacker forum for help with breaking the encryption code. Sophos security is reporting that more than 60% of the passwords have already been cracked.
Worse, while the 8 million passwords posted represent only a small portion of the total users of the sites, some security experts suspect that the hacker(s) may have access to the full password list and only posted those that they were having difficulty cracking. Rick Redman, a security consultant for Kore Logic Security told Ars Technica, "It's pretty obvious that whoever the bad guy was cracked the easy ones and then posted these, saying, 'These are the ones I can't crack.'"
How did this happen? Well, how the hacker got access to the data isn't known. However, the ability to easily hack the passwords is due to poor data security measures at each of the companies.
In the case of LinkedIn, passwords were encrypted, but they were not using "salting" to introduce random characters into the encryption and make them harder to break. LinkedIn has since corrected this weakness and all new passwords will be salted and encrypted..
eHarmony also was apparently using weak encryption policies and still doesn't appear to understand the steps required to secure your information properly. In a post on the eHarmony blog, they are recommending users reset their passwords and provide tips for creating a strong password. But to be absolutely clear, this hack has nothing to do with users creating weak passwords—even the strongest password is useless if the company storing your password doesn't protect it properly. The eHarmony blog is silent on what steps they are taking to improve their own security.
Given the serious nature of this breach, I recommend that all users of LinkedIn and eHarmony change your passwords immediately, even if you have not been notified that your password was one of those stolen. If you share the password with other sites, you should change it on those sites as well.
Because eHarmony has yet to adequately address the security measures they are putting in place to protect this breach from happening again, you should consider any password and personal information you post to eHarmony as insecure.