LinkedIn users are being bombarded by spam emails after the social network was hacked and hashed passwords of users dumped online. Members of the business network told The Register that they had received scores of invitations to "link in" with new connections, often flagged with warnings from their email provider that the …
Peter Baston unmasked
"...and when you have an enforced connectivity regardless model pushed to the master revenue plan added to antiquated security systems and zip due diligence like LinkedIn – that's a FUBAR train wreck waiting to happen"
Fuck me, it looks like amanfromMars has a job as a security consultant!
of the story?
Don't link in.
Anything with the word "link" in its name sucks..... wait
Re: Peter Baston unmasked
Be at peace earthling and get back on your flat world supported on four elephants flying around the universe on the back of A'Tuin the giant star turtle
It could just be that Spammers Inc are following their normal habits of using any event which has significant media coverage as the launchpad for another tranche of emails in the hope that 'reality show fan' grade intellects will fall for them.
Had to log in this morning, and got an error message that my password was incorrect. Which it wasn't, so I can only assume my account was one of the ones that had its password reset. But no mail, no message on the login page, no pertinent message in the ubiquitous password reset mail, no message after the reset and logging in again.
But no deluge of invitations either, nor any other spam (yet) that could be traced to this leak.
You are owned... just wait for it . . . .
maybe your profile is just not interesting enough...........
A spammer deciding whether or not to send spam to a particular account takes him more effort than just sending it.
LinkedIn is spam anyway.
All's it is is a collection of salesdroids all looking to 'network' (build list of suckers to sell stuff to/beg for work).
If I ever wanted to connect with people from my past who I stopped talking to, I'd use FB -- but every time I've ever given in to temptation and looked them up, I quickly re-discovered there was a *reason* why I let the association lapse.
Re: LinkedIn is spam anyway.
Funny. Less than 5% of my contacts are IT pimps, and there has been just a single case of one trying to link me on the pretext that he knew me while at the same time offering me a job.
But then, UK pimp mores are quite different from Dutch.
Re: LinkedIn is spam anyway.
You are missing the point that it's a work based site - it's not Facebook. It's for keeping track of work based connections who you might be able to use to benefit your career in the future. Not because you like them.
It's also useful as a barrier between recruiters and your actual email address / phone number because you don't HAVE to share your details with them when they spam you.
Also, if you have a decent profile you can actually get head hunted by good employers from there (not recruiters). It happened to a friend of mine - lucky bugger.
Last.fm have been hit too
More information posted in a Reddit post. MD5 storage, apparently leaked some time ago, but spammers have started hitting addresses in the past few weeks. Given that these reports started surfacing on Last.fm forums on 10 May (exhibit A / exhibit B), it's rather a slow response from them...
2 accounts, no passwords
I wonder if they have cracked the passwords for the two accounts I set up early on (you need 2 to see how it works), no doubt they are trying to spam the throwaway email accounts I used to set them up (I have no idea what these were called or their passwords either).
I have at least 3 facebooks, 2 twitters and numerous others where they want you to log in to do some stuff, each with email accounts that I only used to set them up.
I go on the basis of one time logins, if I need their site again I will just create a new one.
I'm not sure the LinkedIn spam is connected with the database leak
I too have started to receive a large quantity of LinkedIn phishing spam -- but it's all directed to different email addresses than those I use on LinkedIn (which curiously is receiving NO phishing email). Both the targeted email addresses and originating hosts correlate with an upturn in similar phishing attempts for Twitter, Facebook, Verizon, big banks, etc., so I'm not convinced that it has anything to do with the database leak.
so not just hashed passwords then?
As I've deleted my account months ago and didn't receive any spam on that address there's the glimmer of hope that account deletions are indeed real deletions..
LastPass has a checking page and whilst it's probably safe enough to use, you should change your password just to be safe.
But the best thing about this page is to play "Guess the dumb password". And yes "password" is one of them.
Really...I would have thought Linkedin would have attracted users with some level of sense. Seems not.
"I would have thought Linkedin would have attracted users with some level of sense"
Now what on earth gave you that idea? It's a social network.
I checked a few painfully obvious ones, like qwerty and some variations of password. I shouldn't be surprised at finding them but I am - what were they thinking?
Haha, yes quite illuminating.
and the most amusing I stumbled across: billgates
It seems that wearing a suit is no bar to being a dumb fuck.
I wonder if you changed your password to that exact same message about blowing up some backwater provincial airport that got that bloke convicted for being a terror-tweeter if you'd be liable for the same offence? After all, you would be sending a disturbing/upsetting* message through a digital communication link every time you logged in.
*them's like law words or something.
Haha my password was not leaked. But then again, it's 10 random characters generated from /dev/random.
battery staple horse correct wasn't leaked either
First thing I did upon hearing about it was change my password. Or at least I tried to. The system is so confusing and messed up that I'm still unsure if I succeeded.
I think these social networking websites are such a fundamentally bad idea that this is a case where the government should outlaw the entire industry before the explosion. I'm convinced there's going to be some kind of massive fiasco on a giant scale, but I'm not sure what it might be. I can see a LOT of obvious fiascoes on a personal scale...
It isn't just the obvious risks of identity theft and blackmail or the second-level threats of detailed dossiers and exploitation of personal weaknesses. Even your strengths and interests can be turned against you to do damage...
What makes it even more idiotic, that none of them use a single capital letter!
Yes there is "hahaha", but no "HaHaHa". Some other funny ones to your list:
Password, Pasword, Passw0rd, passw0rd
and so on
> a case where the government should outlaw the entire industry
I don't know what's worse: badly protected social networking sites or rampant state idolatry.
According to that page, my password was on the list. "Was" because I changed it as soon as I read about the problem - I haven't seen any emails from LinkedIn, though. (I suppose it's possible they're only sending the email to those who's passwords are unchanged but, somehow, that seems unlikely.)
LMAO I'm not on linkedin but I tried your link and tried 123456.... Looks like I've been compromised ohhh err
The Spam was about CV writing an honesty
This is A Good Thing
at least for me.
LinkedIn was one of my 'standard low-security' passwords, it seems not to have been one of the leaked ones, but The Password Gorilla now protects all my work and home logins (across fedora and win7 - just need a gorilla client for small fondleslab now) and every single one is different.....
About bl**dy time I did it, too.... and hopefully it will encourage everyone else to do the same.
I almost never get any spam
Johnny no-mates, or just a bit clever?
Not just LinkedIn users
Reg - your headline says LinkedIn users are receiving spam as a result of the leak. Is that just a poorly worded headline or worse? LinkedIn users will be no more likely to be 'buried in spam' than the man in the street who's never even heard of it.
How does a spammer get LinkedIn users' email addresses from a list of hashed passwords? They don't. Why would they target LinkedIn users? Better just to do what they always do and pump them out to any email address they have or can make up, while there's a useful news story to ensure the topic is in the minds of their unsuspecting recipients. If the recipient happens to be a LinkedIn login then that increases the small chance of the user falling for it.
Re: Not just LinkedIn users
And what makes you so sure that they don't have a list of email addresses to go with the hashed passwords? Chances are high that whoever managed to hack LinkedIn got more than just a list of hashed passwords, they'll have got the email addresses with it.
Although yes, I imagine spammers have reacted and started pumping out a higher proportion of spam disguised as LinkedIn in general, and legitimate users have assumed causality. Although in fairness El Reg's headline hasn't linked the two.
Re: Not just LinkedIn users
I wasn't saying they didn't have email addresses (I wouldn't be surprised if they did), I just don't think they would be used for targeting spam.
Spammers are opportunists who will send topical spam to any email address then can, regardless of whether the user is a LinkedIn user or not. I don't think the every man and his dog buys viagra, but that doesn't stop spammers sending invitations to solve trouser problems.
Spam? - Bloody Vikings!
No spam other than the usual rate (like from BILL GATES FONDATION, or the widow of the late UJUMBU N'TUITIF, or warnings that bank accounts are blocked until I update my personal information, usually from banks where I have no account). Internet business as usual, in other words. No offers for cheap Viagra today, or cheap PhDs (maybe they did find out I have a proper PhD through linkedin.
My password does not seemed to have leaked, no important stuff is on there, and I have changed my password to be on the safe side.
I took the LinkedIn hack as a good time to go and update ALL my online accounts, so have been working through these in the past couple of days. It's been quite illuminating how many companies don't allow non-alpha characters. Few allow spaces (so no pass phrases), one only allows 6-character passwords (no more, no less!), and one bank won't allow a sequence of more than 4 numbers or letters - so that seriously restricts the use of memorable words or phrases, even without spaces!
Yes - I've done the same, with the same frustration. What possible reason can there be for these restrictions - unless it creates plausible deniability for the company/bank when your account is breached?
leemail is protecting my email
I'm glad I used leemail.me to share my "email" with LinkedIn. No LinkedIn hack SPAM for me.
I deleted my account a year or so back - too many people trying to add me as as connection who I simply didn't want to be associated with, but now if I try to login it asks me if I want to re-activate my account. So seemingly they still have my details stored even though I've said I want out. Is it too much to ask to have my details removed when I ask?