Stolen LinkedIn Passwords Can Sell for as Low as $1

Passwords like those stolen from LinkedIn Corp. (LNKD), owner of the world’s biggest professional- networking website, may not lead to many accounts being breached because criminals selling the access codes reap as little as $1.

That compares with banking passwords, which can fetch $15 to $850 apiece, depending on the account balance, according to Internet security provider Symantec Corp. (SYMC) The utility of stolen data varies by site, leading to price differentiation, said Francis deSouza, president of Symantec’s enterprise unit.

Stolen social-network passwords have limited value to thieves because they generally can’t take money directly out of the accounts, deSouza said. Hackers blocked from using the passwords on LinkedIn might still use them to infiltrate other sites if users access multiple accounts with the same login, Bloomberg.com reported on its Tech Blog.

“The reaction coming out of this breach is not to just go change your LinkedIn password -- it’s change your password on any sites where you’ve used the same password,” deSouza said.

LinkedIn, based in Mountain View, California, said last week that 6.5 million user passwords were posted on a hacker site and the U.S. Federal Bureau of Investigation was working with the company on the security breach. LinkedIn said in a June 7 blog post that it hadn’t received any verified reports of unauthorized access to member accounts. The company also said it disabled any passwords it found were potentially compromised.

Hani Durzy, a spokesman for LinkedIn, declined to comment beyond statements made on the company’s blog.

Customers of CBS Corp. (CBS)’s Last.fm music site and EHarmony Inc.’s dating site also had passwords stolen last week. Both companies suggested that users immediately change their passwords.

Fake Accounts

One way criminals have taken advantage of job sites like LinkedIn is by creating fake accounts and linking them to hacked accounts. Then they wait. The connection lets the perpetrator monitor the breached accounts for news that someone is changing jobs.

Once that happens, the hacker might send an e-mail pretending to be a new colleague or someone from human resources. If the unsuspecting user clicks on a malicious link in the message, the hacker can take control of the victim’s computer.

LinkedIn said on its blog that many of the stolen passwords posted on a hacker site were “hashed,” or encoded to be unreadable by outsiders. Still, some were decoded and published, the company said.

Spam Prevention

A researcher at Qualys Inc. cracked 2 million of LinkedIn’s passwords, according to a June 8 blog post by researcher Francois Pesce. The hacker who publicized the trove of data was probably seeking help decoding the passwords, Pesce said.

Hackers can also use social-network passwords to send spam to that person’s friends. This is particularly true for websites where people accumulate a lot of contacts, such as LinkedIn, with more than 160 million members, or Facebook Inc. (FB), with more than 900 million. Disabling the passwords prevents the spam, deSouza said.

LinkedIn shares gained less than 1 percent to $94.46 at the close in New York. The stock has climbed 50 percent this year.

To contact the reporter on this story: Jordan Robertson in San Francisco at jrobertson40@bloomberg.net

To contact the editor responsible for this story: Tom Giles at tgiles5@bloomberg.net

Bloomberg reserves the right to remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.