Are you at risk from LinkedIn hacking?

By Sarah Coles , Jun 7, 2012
Filed under: Scams & Fraud

LinkedIn password page Clive Gee/PA Wire/Press Association Images

LinkedIn is investigating claims that millions of user accounts have been left compromised by professional hackers. It has confirmed that some of the 6.4 million passwords published on a hacking site do actually belong to its users.

So are you at risk, and what should you do?

Fight back - latest on scams

Are you at risk?

There were more than 6.4 million LinkedIn passwords posted on a Russian website, which was discovered and publicised by Norwegian security expert Per Thorsheim yesterday. He warned that the fact that passwords do not have to be unique means it is likely to affect many more users with the same password. He also warned that the way the passwords were stored (known as unsalted) means it may be relatively easy for them to be linked to a user's details and therefore used by criminals.

LinkedIn has now confirmed that some of these passwords do indeed belong to its users. In a statement it said: "We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation."

Fight back - latest on scams

What can you do?

So far, there is no evidence that email addresses had been compromised, which means the passwords may not be all that useful to criminals. However, the experts say it is worth taking precautions and changing your password.

LinkedIn has confirmed that anyone who was affected will have had their password disabled. It said: "These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link."

Regardless of whether you receive this notification or not, it's worth changing your password - just to be on the safe side. Realex Payments - through its blogger Security Ninja - advised: "My advice would be assume the worst and go change the password now."

LinkedIn added: "It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases."

Password care

The security gurus add that the right password is important. Graham Cluley, an analyst from Naked Security analysed the passwords that had been published, and said people need to take much greater care when setting them. There were a host that had actually been reset by a virus without users knowing, and a number of particularly weak options, including 'linkedin', 'linkedinpassword' and 'p455w0rd'.

Experts at LinkedIn suggest a number of options, including thinking of a meaningful phrase, song or quote and turning it into a complex password using the first letter of each word. It also suggests adding random punctuation or substituting numbers for letters that look similar.

LinkedIn said: "We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously."

The top 10 scams of 2011

1. Mid-contract price hikes
It is reasonable to assume that if you take out a mobile phone contract at £30 a month for 24 months that's exactly what you'll pay unless you exceed the tariff. Yet mobile phone providers have come under fire for a snag buried in the small print – a clause to allow mid-contract price rises. Prices are rising by a median of 81p a month and 70% of consumers are completely unaware off this sneaky move, according to Tesco Mobile, so be sure to check any new contracts before you sign the dotted line.
1. Land banking
 Land banking involves plots of land offered for sale, often online, with the promise of sizable returns when planning permission is approved for housing or other development. Yet often the land is located in areas protected from development by planning law. The companies involved soon disappear with investors' money and as the firms are not protected by the Financial Services Authority, their funds are not covered by the Financial Services Compensation Scheme
2. Money mule
 Fraudsters recruit unknowing accomplices through email under the guise of offering employment, seeking a personal favour, or through internet shopping sites. The recruits are persuaded into receiving what are essentially fraudulent payments and then passing funds on. The 'mules' are frequently offered a small financial incentive to encourage involvement and face difficulties in proving their innocence when the fraud is discovered.
3. Carbon credit fraud
 The scams claim to offer people the chance to profit from carbon credits. Under regulations that permit businesses to emit a tonne of CO2 – the companies claim to offer investment in green projects like a forestry scheme or a solar panel project, which generates carbon credits that are then sold on to heavy industry. A flashy brochure or website tells of a reliable 'government-backed' scheme which provides reliable returns for investors. Such a scheme doesn't exist however – a reality investors only discovered when they have parted with their cash and the company is untraceable. As with land banking, fraudulent companies are not covered by the FSA so victims have no course for recompense
4. HMRC phishing scam
 Receiving an email from the taxman saying you are owed a payment may seem like a nice surprise, but it is actually from fraudsters trying to relieve you of your cash instead. The emails provide a "click-through link" to a cloned replica of the HMRC website. The recipient is then asked to provide their credit or debit card details - all the information the criminals need to clear your account, and sell on your personal details.
6. Crash for cash scams
 Insurer Direct Line reported a hike in the number of 'crash for cash' scams last year – where fraudsters fake accidents by making unnecessary emergency stops at busy roundabouts or slip roads, forcing motorists to crash into them. They then make bogus claims to the innocent motorist's insurer, often including fictitious injuries and passengers.
7. Driving school scams
 Learner drivers have been taken for ride by being unknowingly taught by trainee instructors. An investigation by the AA found up to 27,000 extra driving tests have been failed in the last year because one in 10 learner drivers are unwittingly taught by an instructor they do not know is learning on the job.
8. One man mail scam
 July saw the arrest of a Leicester postman who stole £46,686 worth of mail over two-and-a-half years. Yogeshbhai Patel, 38, was jailed for two years for stealing mail including 2,000 DVDs and 2,250 games along with CDs and other electrical equipment. He intercepting the valuable packages and spent the money on living a luxury lifestyle including helicopter rides and a trip to Las Vegas.
9. Smart meter scam
 The Trading Standards Institute reported over 200 cases where elderly homeowners have been targeted by telephone cold callers, purporting to be from their energy supplier and offering energy saving devices which could cut their bills by 40%. The TSI tested the devices in homes where owners had fallen for the scam, only to find they both failed to satisfy electrical safety standards or deliver any tangible energy savings.
10. Thermal camera fraud
 Thermal cameras that track ATM pin numbers are the latest weapon in their arsenal and US scientists have warned it is the next threat for this form of crime. Researchers at the University of California at San Diego found that up to 45 seconds after a person types their pin code into an ATM machine or door entry pad the numbers and even the sequence are still readable by thermal cameras.