And Today's Cyber Attack Award Goes to LinkedIn, as News Breaks that Users' Passwords are Now Compromised

By Jamie Epstein June 06, 2012

Oh social network phenomenon LinkedIn, whatever are we going to with you? The extremely popular website that boasts 150 million users worldwide and is known for helping you to connect with colleagues and potential employers is just the latest company to be thrown into the hacking spotlight, as early this morning it was reported that the site has been penetrated by tech-savvy individuals and they have successfully gained access to approximately six and a half million passwords.

Although still not officially spoken about by the company, sources are saying that a Russian-based group is responsible for this and that although these passwords have been encrypted, with the right tools in place, they were still able to be infiltrated.

In addition to the overwhelming amount of passwords that people are now scrambling to replace, around 300,000 of these supposedly private combinations of letters, numbers and symbols have already been cracked, according to an article on Tech Now.

Dave Pack, director of LogRhythm Labs said in a statement, “Without specific details of the attack, it’s difficult to determine exactly what could have been done to help protect the sensitive data. However, most database breaches are the result of a vulnerable Web application front end being exploited utilizing SQL injection. According to our research, it is extremely common for successful attackers to utilize automated SQL injection tools such as sqlmap or Havij. Such tools leave behind a log trail on the web server which at first glance makes the attack appear complex, but also makes it easy to detect. For example, by default these tools put their own names into the User Agent (UA) String of the http requests they make. UA whitelisting/blacklisting can be utilized to ensure automated SQL injection tools are immediately identified should they be used to perform Web application reconnaissance or launch an attack.”

“In addition, these tools put quite a bit of SQL syntax into URL parameters. Most Web applications have no legitimate need for SQL in the actual URLs. Alarming on this syntax along with encoded variations will detect both automated tool usage as well as manual Web application attacks. As soon as an attacker is identified by one of these methods their IP address should be blocked, preferably in an automated fashion. Everything that is needed to identify and stop an attack of this nature is all right there in as little as a single log entry on the Web server,” he added.

In response to the attack, Ulistic issued a PSA to all LinkedIn users that advised them to change their passwords post haste in which the company stated, “LinkedIn may have a bit of an issue to deal with. They are investigating that potentially over six million password have been compromised. Ulistic recommends that you change your LinkedIn password immediately and inform both clients and associates about this potential breach.”

Security Researcher Cameron Camp of ESET, a security company, also weighed in with his opinion stating, “The difference with this hack, as opposed to many others, is that people put their REAL information about themselves professionally on the site, not just what party they plan on attending, ala Facebook and others. And every time one of your LinkedIn contacts updates their profile, you get updates from LinkedIn showing what’s happening. This has the aggregate effect of garnering a form of peer review on what you post about yourself, knowing that it is exposed potentially to those business or career contacts that have a direct impact on your life. In other words, mess with somebody’s professional profile, and you’re messing with their life, and their contacts know about it.

Stay glued to TMCNet as more developments in this story are unveiled!




Edited by Rachel Ramsey

TechZone360 Web Editor

SHARE THIS ARTICLE
Related Articles

Microsoft Research Project Allows for Inexpensive 3D Scanning from a Smartphone

By: Christopher Mohr    8/27/2015

It is now possible to perform 3D scanning from a smartphone, without additional hardware or an Internet connection, thanks to a new Microsoft Research…

Read More

Amazon's Scaled Back Consumer Device Efforts, Dash Button, and More

By: Paula Bernier    8/27/2015

Word is that Amazon is scaling way back on its consumer devices efforts, having let go of dozens of Lab126 engineers who worked on its Fire phone, acc…

Read More

The 4K War is Brewing, but Don't Expect a Crowned Winner

By: Special Guest    8/27/2015

The hype around 4K Ultra HD video is growing and we're seeing it gain traction in real ways. From the NFL Network and CBS using 4K cameras to capture …

Read More

Wallet Wars Part 2: Thanks to EMV, the Force is with Mobile Wallets

By: Special Guest    8/26/2015

In December 2015, when "Star Wars: The Force Awakens" hits movie theatres across the U.S., a very different type of force will 'awaken' the mobile wal…

Read More

Major Automakers Forge Alliance to Combat Cyberattackers

By: Joe Rizzo    8/25/2015

If you take a few minutes to think about what hackers go after, you'll realize that it is anything that has an Internet connection. Thanks to the Inte…

Read More