Assess the Risks to Your Organization
On June 6, password hashes for approximately 6.5 million LinkedIn users were posted to a Russian computer hacking forum. Some were published with the corresponding plain-text passwords, and forum members were actively working to crack the remaining passwords. Because many individuals use the same email address and password for a variety of online services, company employees may have unwittingly exposed the organization to this data breach if they use a company email address and company password to access their LinkedIn accounts. Such compromised credentials can be used by third parties to gain unauthorized access to an organization’s secure networks, putting companies that maintain large volumes of nonpublic, proprietary or trade secret information, such as those in the financial or technology industries, at great risk.
Password hashes are akin to an encrypted version of a password. When a user logs in to LinkedIn, his or her login password is hashed and compared to the stored hash. If the hashes match, access to the service is granted. While only the passwords hashes were leaked in this breach, weaknesses in LinkedIn's hashing algorithm allow the password hashes to be cracked with relative ease.
Of note, the user names and email addresses corresponding to the password hashes were not leaked, and the passwords or hashes are only minimally useful without this information. However, security professionals believe the persons or organizations responsible for this breach do have the usernames and passwords.
It is critical to assess the risks presented by this breach. Beware of "help" sites that offer to determine if your password is among those leaked. Many of these sites also ask for the email address associated with the leaked password, which further compromises credentials.