Pinterest Stumbleupon Whatsapp

The discovery of password security breaches at three popular sites has yet again reminded the web that using the same password for every site isn’t a good idea. Passwords have been stolen from millions of users of Last.FM, eHarmony and LinkedIn.

Stolen LinkedIn and eHarmony password hashes were recently uncovered when a hacker asked for help cracking stolen passwords on a public web forum. The passwords were encrypted but many of them were “unsalted” making them easier to crack. Some passwords were already cracked by the original poster and within several hours millions more had been split wide open by others.

The number of leaked passwords from these two sites is around 8 million and almost all have been cracked at this time of this writing. The list does not include account names, but security experts commenting on the breach say it’s reasonable to assume that the original hacker also has access to this information. Even if the hacker does not, the breach would allow anyone to discover the most commonly used passwords for these sites. Those passwords could then be tried against accounts at random.

More bad news rolled in shortly after when announced that it was investigating a user password leak. The decision to investigate appears to be related to the leak of eHarmony and LinkedIn passwords. A post on the official blog states “This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately”.

That’s good advice. If you use these sites or have used them in the past you should immediately change your password. It’s also a good idea to change your password on any other site where you have used the same password.


Source: Ars Technica

  1. Theo Reisinger
    October 10, 2012 at 1:22 am

    This seems to be a common theme lately. I feel that means more and more on why you should practice internet/password security

  2. Wiry Andi
    June 27, 2012 at 3:46 am

    in my opinion, a good password to use is a combination of number and character.
    and its the best if the character is capsed as well. though its hard to remember.
    anyway what does "unsalted" mean?

  3. Jon Smith
    June 9, 2012 at 10:11 pm

    Wasnt surprised that password1 was compromised according to the site that told you what was compromised

  4. Himanshu Singla
    June 8, 2012 at 4:06 pm

    This is a real worry because websites like Linkedin got hacked nothing is secure on web...i thinkk....

  5. Scutterman
    June 8, 2012 at 11:44 am

    Thanks for the informative article, I don't follow the Last.FM blog or twitter so I wouldn't have known about this otherwise.

  6. Raks
    June 8, 2012 at 4:34 am

    How do they actually steal passwords from these secure sites ?

    • Tina
      June 13, 2012 at 4:16 pm

      It's called hacking. Truth is, every security system has a hole weak spot somewhere. If we could explain in detail how to identify and exploit the security hole, we could be hackers, too. Fortunately, it's not that easy!

      • Mario
        June 27, 2012 at 10:19 am

        Truth is, many "big websites" have insecure systems built by noobs.

  7. Nick Bruce
    June 7, 2012 at 10:13 pm

    What's weird about these attacks is that they happen in bursts. Like, there's been 3 sites with concerns now, but for the past few months, you haven't heard anything about these kinds of attacks.

    • Cliff Mccullar
      June 8, 2012 at 12:21 am

      Well that really comes down to a few things nick, one of them being that companies tend to try to keep stuff like this extremely quite. For instance Apple has had 3 MAJOR break ins, that it did not inform its customers about, and flat out denied happened, yet you can find 3 separate blocks of massive amounts of Itunes users complaining about fraud. (all with the same issue/happening in a small amount of time(days). Secondly the amount of sites broken into daily is a staggeringly large number, its so common that even when the sites DO report it correctly or inform their users that it has happened that it amounts to a drop in the bucket. Oh they got 10000 cc numbers? its not news worthy, your not going to hear about it unless you go searching for it. Just like every car accident in the country isnt headline news on CNN, their is just too many of them. So you will tend to only hear about the REALLY big break ins that the company's report. But i can also think of a number of major breaches that happened "solo". such as hotmail or yahoo, microsoft etc. its just not as impressive to report that yahoo got broken into and hey so did these 30 websites you have never heard of as well. yahoo is the headline event, you dont need 30 sites who get minimal hits per day as is.

      the final thing on this in my opinion though is the worst: No one seems to get what a huge problem this is. Companies by and large just dont put resources into securing their systems, let alone training all their employees in security awareness. The "press" is so used to these attacks now that it doesnt see the forest for all the tree's, and what kind of a threat that is too everyone. Because the press isnt informing the public, the public(such as yourself) is unaware of the major issue that it is so that you can start protecting yourself. the end result? over 1b in damages a year and climbing.

      • Mihovil Pletikos
        June 8, 2012 at 1:01 pm

        yeah i agree i wonder how many times this happened to other sites, but was covered up (hey apple!!!! ok not just them....)

  8. Justin Boyle
    June 7, 2012 at 9:02 pm

    Is there anything to suggest a relation between these leaks?

    • Matt Smith
      June 7, 2012 at 9:46 pm

      The passwords that were posted were found to contain phrases suggesting they were related to both eHarmony and LinkedIn (but mostly LinkedIn).

      As for, the company has simply stated what was quoted in the news posts. I don't think anyone had found what they thought to be passwords in the hashes posted, but the phrasing of the blog post seems to suggest the company thinks there is a link.

Leave a Reply

Your email address will not be published. Required fields are marked *