LinkedIn users buried in spam after database leak LinkedIn users are being bombarded by spam emails after the social network was hacked and hashed passwords of users dumped online. Members of the business network told The Register that they had received scores of invitations to "link in" with new connections, often flagged with warnings from their email provider that the …
"...and when you have an enforced connectivity regardless model pushed to the master revenue plan added to antiquated security systems and zip due diligence like LinkedIn – that's a FUBAR train wreck waiting to happen"
Fuck me, it looks like amanfromMars has a job as a security consultant!
Had to log in this morning, and got an error message that my password was incorrect. Which it wasn't, so I can only assume my account was one of the ones that had its password reset. But no mail, no message on the login page, no pertinent message in the ubiquitous password reset mail, no message after the reset and logging in again.
But no deluge of invitations either, nor any other spam (yet) that could be traced to this leak.
All's it is is a collection of salesdroids all looking to 'network' (build list of suckers to sell stuff to/beg for work).
If I ever wanted to connect with people from my past who I stopped talking to, I'd use FB -- but every time I've ever given in to temptation and looked them up, I quickly re-discovered there was a *reason* why I let the association lapse.
You are missing the point that it's a work based site - it's not Facebook. It's for keeping track of work based connections who you might be able to use to benefit your career in the future. Not because you like them.
It's also useful as a barrier between recruiters and your actual email address / phone number because you don't HAVE to share your details with them when they spam you.
Also, if you have a decent profile you can actually get head hunted by good employers from there (not recruiters). It happened to a friend of mine - lucky bugger.
Last.fm Password Security Announcement
More information posted in a Reddit post. MD5 storage, apparently leaked some time ago, but spammers have started hitting addresses in the past few weeks. Given that these reports started surfacing on Last.fm forums on 10 May (exhibit A / exhibit B), it's rather a slow response from them...
I wonder if they have cracked the passwords for the two accounts I set up early on (you need 2 to see how it works), no doubt they are trying to spam the throwaway email accounts I used to set them up (I have no idea what these were called or their passwords either).
I have at least 3 facebooks, 2 twitters and numerous others where they want you to log in to do some stuff, each with email accounts that I only used to set them up.
I go on the basis of one time logins, if I need their site again I will just create a new one.
I too have started to receive a large quantity of LinkedIn phishing spam -- but it's all directed to different email addresses than those I use on LinkedIn (which curiously is receiving NO phishing email). Both the targeted email addresses and originating hosts correlate with an upturn in similar phishing attempts for Twitter, Facebook, Verizon, big banks, etc., so I'm not convinced that it has anything to do with the database leak.
This post has been deleted by its author
LastPass has a checking page and whilst it's probably safe enough to use, you should change your password just to be safe.
But the best thing about this page is to play "Guess the dumb password". And yes "password" is one of them.
Really...I would have thought Linkedin would have attracted users with some level of sense. Seems not.
I wonder if you changed your password to that exact same message about blowing up some backwater provincial airport that got that bloke convicted for being a terror-tweeter if you'd be liable for the same offence? After all, you would be sending a disturbing/upsetting* message through a digital communication link every time you logged in.
*them's like law words or something.
First thing I did upon hearing about it was change my password. Or at least I tried to. The system is so confusing and messed up that I'm still unsure if I succeeded.
I think these social networking websites are such a fundamentally bad idea that this is a case where the government should outlaw the entire industry before the explosion. I'm convinced there's going to be some kind of massive fiasco on a giant scale, but I'm not sure what it might be. I can see a LOT of obvious fiascoes on a personal scale...
It isn't just the obvious risks of identity theft and blackmail or the second-level threats of detailed dossiers and exploitation of personal weaknesses. Even your strengths and interests can be turned against you to do damage...
According to that page, my password was on the list. "Was" because I changed it as soon as I read about the problem - I haven't seen any emails from LinkedIn, though. (I suppose it's possible they're only sending the email to those who's passwords are unchanged but, somehow, that seems unlikely.)
at least for me.
LinkedIn was one of my 'standard low-security' passwords, it seems not to have been one of the leaked ones, but The Password Gorilla now protects all my work and home logins (across fedora and win7 - just need a gorilla client for small fondleslab now) and every single one is different.....
About bl**dy time I did it, too.... and hopefully it will encourage everyone else to do the same.
Reg - your headline says LinkedIn users are receiving spam as a result of the leak. Is that just a poorly worded headline or worse? LinkedIn users will be no more likely to be 'buried in spam' than the man in the street who's never even heard of it.
How does a spammer get LinkedIn users' email addresses from a list of hashed passwords? They don't. Why would they target LinkedIn users? Better just to do what they always do and pump them out to any email address they have or can make up, while there's a useful news story to ensure the topic is in the minds of their unsuspecting recipients. If the recipient happens to be a LinkedIn login then that increases the small chance of the user falling for it.
And what makes you so sure that they don't have a list of email addresses to go with the hashed passwords? Chances are high that whoever managed to hack LinkedIn got more than just a list of hashed passwords, they'll have got the email addresses with it.
Although yes, I imagine spammers have reacted and started pumping out a higher proportion of spam disguised as LinkedIn in general, and legitimate users have assumed causality. Although in fairness El Reg's headline hasn't linked the two.
I wasn't saying they didn't have email addresses (I wouldn't be surprised if they did), I just don't think they would be used for targeting spam.
Spammers are opportunists who will send topical spam to any email address then can, regardless of whether the user is a LinkedIn user or not. I don't think the every man and his dog buys viagra, but that doesn't stop spammers sending invitations to solve trouser problems.
No spam other than the usual rate (like from BILL GATES FONDATION, or the widow of the late UJUMBU N'TUITIF, or warnings that bank accounts are blocked until I update my personal information, usually from banks where I have no account). Internet business as usual, in other words. No offers for cheap Viagra today, or cheap PhDs (maybe they did find out I have a proper PhD through linkedin.
My password does not seemed to have leaked, no important stuff is on there, and I have changed my password to be on the safe side.
I took the LinkedIn hack as a good time to go and update ALL my online accounts, so have been working through these in the past couple of days. It's been quite illuminating how many companies don't allow non-alpha characters. Few allow spaces (so no pass phrases), one only allows 6-character passwords (no more, no less!), and one bank won't allow a sequence of more than 4 numbers or letters - so that seriously restricts the use of memorable words or phrases, even without spaces!
I deleted my account a year or so back - too many people trying to add me as as connection who I simply didn't want to be associated with, but now if I try to login it asks me if I want to re-activate my account. So seemingly they still have my details stored even though I've said I want out. Is it too much to ask to have my details removed when I ask?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
