News

eHarmony, Last.fm join LinkedIn with password leaks

Warwick Ashford

Online dating site eHarmony has also been hit by the theft of millions of passwords, some of which professional networking site LinkedIn confirmed corresponded to members' accounts.

The confirmation came after reports that 6.5 million encrypted stolen passwords had been posted on a Russian web forum, where hackers were invited to help decrypt them.

Experts said that the fact that some of the passwords included the phrase “eHarmony” indicated they were taken from the online dating website, according to the Telegraph.

In a blog post, eHarmony's corporate communications chief, Becky Teraoka, said that the firm was contacting affected users and resetting their passwords.

"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected," she said.

The passwords of around 1.5 million of eHarmony's more than 20 million users worldwide are believed to have been compromised.  

The announcement came within hours of LinkedIn confirming that it had withdrawn all compromised passwords and would send affected users instructions on how to reset their passwords.

The passwords were stolen in “hashed” form, meaning some computing work was required to convert them back into usable passwords, but by Wednesday afternoon the hackers said they had already recovered hundreds of thousands of login details.

LinkedIn said it had introduced better password protection by "salting" as well as hashing them, which makes it more difficult for hackers to convert them back into plain text by appending a random string of characters.

Change passwords as a precaution

Security experts have advised anyone using the same login details for LinkedIn and eHarmony as they do on other sites to change their passwords on those sites as well.

"As we've said many times, you shouldn't use the same password on multiple websites," said Graham Cluley, senior security consultant at security firm Sophos.

"Doing so is a recipe for disaster, because if you get hacked in one place, all of your other online accounts at other sites which use the same password could fall shortly afterwards," he wrote in a blog post.

Not long after eHarmony's announcement, music streaming website Last.fm warned its millions of users to change their passwords immediately.

In an advisory posted on its website, Last.fm said it was investigating a possible leak of passwords.

"We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately," the website said.

Social networks targeted by hackers

Security commentators said the password compromises at LinkedIn, eHarmony and Last.fm highlighted an escalation in attacks on social networks from hackers seeking to exploit personal data, according to the Financial Times.

In April 2012, social networks replaced financial organisations as the top target of phishing attacks, according to a report by security firm Kaspersky Lab.

Social networks accounted for 28.8% of these attacks in April, a 6% increase from March, due mainly to a surge of attacks aimed at Facebook users, the report said.

Manchester-based hosting company UKFast has warned that the leaked passwords could potentially give cybercriminals access to business e-mails and confidential data.

It is likely that whoever stole the passwords has the corresponding usernames, said Stuart Coulson, cybersecurity expert and director of datacentres at UKFast.

"This is really concerning for businesses, as once hackers have a username and password, they can not only access the account, they can also access any account with the same username and password," he said.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy