Password breach spreads beyond LinkedIn
WASHINGTON — More websites admitted security breaches Thursday after LinkedIn said some of its members’ passwords were stolen, and experts warned of email scams targeting users of the social network.
Security experts were warning customers of the hacked websites to be alert for fake emails which purport to warn about the breach but are in fact attempts to steal personal data, a phenomenon known as “phishing.”
The US dating website eHarmony and the British-based music site Lastfm.com said their user accounts were also compromised and urged members to change their passwords.
“We are currently investigating the leak of some Last.fm user passwords,” the website blog said.
“This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.”
EHarmony’s Becky Teraoka said that “a small fraction of our user base has been affected” and that “as a precaution, we have reset affected members’ passwords.”
Graham Cluley of the British security firm Sophos said data from 1.5 million eHarmony passwords was uploaded to websites, “where hackers were encouraged to join forces to crack them.”
Cluley also warned users of Lastfm.com to change their passwords.
But users were also being cautioned against clicking on links that purport to be from the compromised websites. LinkedIn said it was not including any links in its warnings to customers.
Mikko Hypponen of the Finland-based firm F-Secure said a flood of such phishing emails was likely.
“First change your LinkedIn password. Then prepare for scam emails about LinkedIn password changes, linking to phishing sites. Will happen,” he said in a Twitter message.
Security experts said some 6.5 million LinkedIn accounts were posted to a Russian hacker forum, but that figure was being debated Thursday.
The security firm Imperva said the evidence suggests “the size of the breach is much bigger than the 6.5 million accounts” and added that “the passwords weren’t properly protected.”