By 3 News staff
New Zealanders with accounts on the networking site LinkedIn are being told to change their passwords immediately amid fears that millions of encrypted passwords have fallen into the hands of hackers.
Reports say up to 6.5 million passwords may have been stolen and posted to an internet forum.
LinkedIn says it does not know how the site was compromised, but says it has disabled the passwords of affected users.
LinkedIn has 160 million members around the world and more than 230,000 of them are from New Zealand.
Internet NZ chief executive Vikram Kumar says all New Zealanders who use LinkedIn should change their passwords because it is likely a New Zealander could have had their password leaked.
“I think it’s almost certain. The number of passwords compromised is in the region of 6 million which is… around 5 percent [of users worldwide].”
Mr Kumar says people may need to change passwords on other sites.
“Not only change their LinkedIn password but wherever they’ve used the same password on other sites they should change those too.”
He recommends people use different passwords on different sites.
“The security advice always is use a different password, but if you make it hard and complex you’re going to write it down which means that you’ve got a new security risk.”
He says people should make sure they can remember the password.
“First of all we’re very good at patterns. Pick up a pattern on your keyboard and remember that.”
But people should avoid using regular words.
“Make sure first of all it’s not a dictionary word, because most of the attacks to try and crack passwords use the dictionary.
“Instead of using a dictionary word, use a phrase like ‘I take my dog for a walk in the evenings’ and if you take the first letter of each one that’s actually a very strong password, throw in a capital letter somewhere, maybe an exclamation mark.”
Mr Kumar wasn’t sure whether people would be notified about whether their LinkedIn account had been breached, but warned people to change their passwords anyway.
He also says using your email address to log in is dangerous, because organisations don’t always encrypt login details or email addresses.
“There’s a pretty big risk across all of that.”
But Mr Kumar says the passwords themselves may not be completely breached.
“It’s not the password itself that’s been leaked out, it’s the encrypted form of the passwords. A logarithm used for encryption is actually quite strong, so I’m not sure this necessarily means people’s passwords are out there, it’s just a precaution.”
He thought the breach would have been done by a hacker, rather than a staff member or customer.
“This is a hacker who seems to have got in through the back door.”
3 News