A report from an internet security company suggests many more than the report 6.5m password might have been compromised, as news emerged the same hacker could be behind a password breach at online dating website eHarmony.

LinkedIn

Internet security company Imperva contacted IBTimes UK to say that it believes more than the originally stated 6.5 million accounts have been compromised.

Having followed the story closely and looked at the leaked file itself, Imperva's Application Defence Centre told us why it believes the number of affected users could be much greater than first thought:

"The password list is missing the 'easy' passwords. The password files do not contain easy to crack passwords such as '123456' that are traditionally the most common choice of passwords."

The company also states: "Passwords are typically listed only once. In other words, the list doesn't reveal how many times a password was used by the customers. This means that a single entry in this list can be used by more than one person.

"For reference, in the RockYou hack the 5,000 most popular passwords were used by a share of 20 percent of the users. We believe that to be the case here as well, another indicator that the breach size exceeds 6.5 million."

Although it is widely believed that the passwords are all from the accounts of LinkedIn users, Imperva said: "LinkedIn was probably breached but the password database doesn't indicate this specifically. Many of the passwords contained a high volume of the word, or a variation of the word, 'linkedin'. This indicates that the pool of passwords comes from LinkedIn."

Hours after the passwords were leaked online, LinkedIn provided the following statement on its blog, confirming that some of the passwords that were stolen are linked to LinkedIn accounts::

"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation."

Compromised passwords

LinkedIn also outlined the steps it will be taking to ensure members' user profiles and data is secured:

  1. Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
  2. These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link.
  3. These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.

The problem with this system is that if your password has been compromised, then it is possible you will receive phishing emails from cyber criminals pretending to be from LinkedIn.

"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," the LinkedIn spokesperson added.

LinkedIn had been criticised for failing to 'salt' passwords stored on its servers. What this means, as explained by security expert Chester Wisniewski of Sophos, is that a string of random characters is added to the saved passwords.

"It means that password lists cannot be pre-computed based on dictionary attacks or similar techniques. This is an important factor in slowing down people trying to brute force passwords. It buys time and unfortunately the hashes published from LinkedIn did not contain a salt," Wisniewski explains.

Adding a salt to passwords prevents hackers from using an automated programme to scan through the database of stolen passwords to crack them.

eHarmony password breach

Online dating website eHarmony admitted on Wednesday that it too has fallen victim to hackers, saying the passwords of a "small fraction" of its 20 million users have been compromised, but refused to give a specific number.

Website Ars Technica claims to have found about 1.5 million passwords leaked online which appear to belong to eHarmony users.

The dating website said on its blog that it has reset the passwords of users affected and emailed them explaining how to create a new password, adding that it recommends users adopt "robust" passwords.

This attack is believed to be by the same hacker who stole the LinkedIn passwords. The unidentified hacker posted two lists containing the eight million passwords on the website insidepro.com, under the username "dwdm."

The hacker posted them online and requested his peers to help crack the hashed passwords. According to Chester Wisniewski on the Naked Security blog, 60 percent of the LinkedIn passwords have already been cracked.

Some of the most common passwords, such as those used by the Conficker worm to infiltrate Windows networks. as well as the likes of linkedin', 'linkedinpassword', 'p455w0rd' and 'redsox' and even passwords which indicated that people should have known better, such as sophos', 'mcafee', 'symantec', 'kaspersky', 'microsoft' and 'f-secure'.