As LinkedIn is slammed online for weak password practices, the result of the leak of 6.5 million passwords has started an online free-for-all for hackers and web designers looking to cash in (or teach a lesson or two).
LinkedIn confirmed in a Wednesday statement that some passwords were compromised. Passwords of members who were affected will no longer work and they will receive an e-mail with instructions on how to reset them, the company said.
“There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link,” the statement said.
Within hours, LinkedIn users began receiving fake emails directing them to confirm their e-mail address through a link provided in the body of the message.
“Because similar emails have been circulating for some time it is hard to say if this is an example of a coordinated scam designed to leverage the security breach made public today, or simply a coincidence…Sadly, we are likely to see more of these emails as LinkedIn tries to rebuild trust among members,” wrote ESET researcher Cameron Camp earlier this week
Several online security companies are investigating the details of the latest round of LinkedIn emails, but say in the meantime, users should visit the site's homepage directly if they’re worried about clicking suspicious links.
The homepage may not be any safer though says Web builder Chris Shiflett--at least it wasn’t at some point in the past. Shiflett says people who visited the LinkedIn homepage “were shown a fake log in form that attempts to trick users into giving away their email password.”
Shiflett says his password was one that had been leaked and cracked, so on his blog he provided a way for other users to find out if their passwords were among those leaked. It’s pretty technical so he and some friends created a web-friendly version.
Security experts recommend all LinkedIn users change their passwords immediately if they haven’t already. Shiflett says since LinkedIn doesn’t know how the leak happened and hasn’t fixed anything yet, that people should assume their new passwords are compromised too.
Visit LeakedIn here: http://leakedln.org/.