Security experts are warning businesses to take the publication of encrypted LinkedIn passwords by a hacker seriously.
The professional networking site has confirmed that "some" of the stolen passwords posted online by a hacker correspond to accounts on LinkedIn.
The confirmation came after reports that 6.5 million encrypted stolen passwords had been posted on a Russian web forum, and that hackers were working on decrypting them.
Although LinkedIn has withdrawn all compromised passwords, several security experts have warned that businesses should take action to limit the potential impact.
Manchester-based hosting company UKFast said the leaked passwords could potentially give cybercriminals access to business e-mails and confidential data.
Multiple accounts compromised
It is likely that whoever stole the passwords has the corresponding usernames, said Stuart Coulson, cybersecurity expert and director of datacentres at UKFast.
"This is really concerning for businesses, as once hackers have a username and password, they can not only access the account, they can also access any account with the same username and password," he said.
Once hackers have a username and password, they can access any account with the same username and password
Stuart Coulson, cybersecurity expert and director of datacentres, UKFast
"With many users seeing the site as an extension of their business communications, rather than as a personal tool, employers need to be aware about the possible threat to corporate data that a LinkedIn breach could represent," said Orlando Scott-Cowley, a security expert at cloud e-mail firm Mimecast.
Businesses should seize the opportunity to educate users on the benefits of password complexity and good password policies, he said.
Coulson said that because many users have the same login details for LinkedIn, Facebook and even their work e-mail, this hack also had the potential to give cybercriminals access to personal and business information.
"The hack is one of many in recent times, but poses a higher risk because of the business links to the site," he said.
Risk to business data
Coulson said the hack has also brought to light once again the importance of properly storing customer details.
"The database of passwords was encrypted using outdated SHA-1 encryption and they were not ‘salted’, where a random string of numbers is added to the encryption to increase the safety of the stored information," he said.
Gavin Watson, senior security engineer and head of the social engineering team at security firm RandomStorm said that although security professionals are well aware how much information can be gathered on a person from online applications, it is not so widely appreciated how this information can be used by hackers to target the businesses that a compromised individual deals with.
Top password safety tips from UKFast
- Use a mix of uppercase and lowercase characters, numbers and symbols – Af197"8
- The longer the better – a phrase such as ILoveL!v3rPO0LFc185 would be ideal
- Use completely different passwords for each account
- Change your passwords regularly
- No dictionary-listed words or obvious passwords – Password or 123456
- No dates of birth, initials, names, or anything that would be easy to guess
"It is the responsibility of everyone in the chain to make it as difficult as possible for hackers to succeed," he said.
Scott-Cowley said Mimecast research shows that organisations are still wary about the security implications of social media within the workplace.
"But, those levels of concern are lower than we would expect, given risks such as these," he said.
The research showed that 59% of IT teams polled, believed that social media usage at work increased the risk of corporate information leaks and 55% believed the risk of security breaches was also increased.
"With this in mind, simply letting your users ‘get on with it’ themselves will not help your risk profile. It is vital that users are continuously educated about risk and staying safe online – only then can businesses worry less about those risks," said Scott-Cowley.
UKFast’s forensic experts were able to crack 2,000 of the encrypted passwords in just 10 minutes using only a standard computer’s processing unit.
Coulson said password security can be improved by using password generators and two-factor authentication systems.
Although LinkedIn has suspended the passwords affected by the hack, businesses have been advised to encourage all employees who use the professional networking service to change their passwords without delay.