(This post was updated with a comment from LinkedIn.)
Worried that your password might be among those stolen from LinkedIn, eHarmony or CBS’s Last.fm in the hacking attacks uncovered last week? If the paltry prices such data fetches in the underground market are any guide, there may be little reason to be concerned.
There’s an abundance of stolen passwords floating around in the dark corners of the Internet where criminals meet to buy such things. Passwords like those stolen from LinkedIn, owner of the world’s biggest professional-networking website, can sell for as little as $1 per account, according to Symantec, a security company.
That compares with banking passwords, which can fetch $15 to $850 each, depending on the account’s value. Francis deSouza, president of Symantec’s enterprise products and services division, said the usefulness of stolen data varies by site, which explains the difference in price.
With a password to a social network, cyber thieves can log in as someone else and send spam to that person’s friends. Criminals can also take advantage of job sites like LinkedIn by creating fake accounts and linking them to hacked accounts. Then they wait.
The connection lets the perpetrator monitor the breached accounts for news that someone is changing jobs. Once that happens, the hacker might send an e-mail pretending to be a new colleague or someone from human resources. If the unsuspecting user clicks on a malicious link in the message, the hacker can take control of the victim’s computer.
LinkedIn said in a blog Thursday that many of the 6.5 million passwords posted on a hacker site were “hashed,” or encoded to be unreadable by outsiders. Still, some were decoded and published, the company said. LinkedIn put out a new post on Saturday to address concerns from users.
Meanwhile, a researcher from Qualys wrote that he was able to crack 2 million of LinkedIn’s passwords. The researcher, Francois Pesce, said the hacker who publicized the trove of data was most likely seeking help in decoding the passwords.
Hani Durzy, a spokesperson for LinkedIn, said the incident hasn’t hampered the site’s growth.
“The health of our network, as measured by growth and engagement, remains as strong as it was prior to the incident,” Durzy said.
LinkedIn said it disabled the passwords of affected accounts, a move that likely nullifies an attack on users and makes the value of the stolen data worthless.
That is, unless the hacker has an eye toward using the information to attack other sites where people use the same passwords. Then, it could be worth more than the $1 per account.
“The reaction coming out of this breach is not to just go change your LinkedIn password — it’s change your password on any sites where you’ve used the same password,” deSouza said.