Sorry!! The article you are trying to read is not available now.

How Hackers Profit From Your Leaked Passwords

Print comment Post Comments

If you’ve been a reader of Mike Schuster’s on Minyanville, you already know better than to keep the same password for multiple websites or to, God forbid, use the Spaceballs standby “1234” to unlock your iPhone (AAPL). But even if you think your accounts are the Fort Knox of online security, you can still be vulnerable -- as we saw last week with the compromise of the personal information of 6.5 million LinkedIn (LNKD) users by Russian hackers.

Since news broke about that event, one of the burning questions has revolved around what the cyber criminals plan to do with the bounty stolen from the “world’s largest professional network.” Security analysts have begun to weigh in and -- beyond selling résumés on the black market and mining contacts for spam emails -- hackers have a “complex and sinister” plan in store for the hot dossiers.

While some cyber attacks are the work of (relatively speaking) harmless “hackivits” motivated by revenge for some wrong committed by a corporation, the guilty party usually makes itself known. In the case of the LinkedIn breach, the group of hackers didn’t identify itself. According to Symantec’s Marian Merritt, the failure to claim responsibility -- in addition to the data being posted on a Russian forum dedicated to password decryption -- points to a profit-driven criminal endeavor.   

Assuming both email addresses and passwords of members have been acquired, the first step is using software to run that combination on other websites, specifically ones that contain sensitive financial information like PayPal (EBAY) and, of course, individual bank URLs. But social media is another huge target so Facebook’s (FB) 900 million users are also at risk. Experts strongly suggest that LinkedIn members using the same email/password combination on any other site should change them immediately.

And for the love of all that is online security, don’t do so by clicking on a link contained in an email appearing to have come from the company. This is a form of email spoofing called “phishing,” and it’s often part of the hacker’s scheme. To be safe, go directly to the company website itself and log into your account.   

LinkedIn users may also become bait for “spear phishing,” which sends seemingly legitimate emails containing links -- but from the addresses of trusted sources, like friends and colleagues.

Likely, the LinkedIn passwords will be added to what are called “rainbow tables” that crack password hashes. Unlike far more ironclad sites like Google (GOOG) that protect users with an extra layer of encryption or “salting,” LinkedIn’s weaker hashing algorithm allowed any account with the same password to be unlocked by the same key.

We’ve said it before, and we’ll say it again: The more complex and unique to each site your passwords are, the better off you are.
POSITION:  No positions in stocks mentioned.