Dating website eHarmony last night acknowledged that it too was caught up in the hack that compromised about 6 million LinkedIn passwords.
"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected," eHarmony said in a blog post. "We are continuing to investigate but would like to provide the following actions we are taking to protect our members."
"As a precaution," eHarmony reset passwords for affected members, who will receive emails with instructions on how to update their accounts.
"Please be assured that eHarmony uses robust security measures, including password hashing and data encryption, to protect our members' personal information," the company said. "We also protect our networks with state-of-the-art firewalls, load balancers, SSL and other sophisticated security approaches."
Yesterday afternoon, LinkedIn acknowledged that hackers had obtained access to some of its users' passwords. It did not reveal an exact number, but at least 6 million of the company's 161 million member passwords popped up online. Ars Technica later reported that eHarmony might have been involved due to the fact that a large number of the passwords involved the word "harmony" or "eharmony," and that turned out to be correct.
In a separate blog post, Sophos analyst Graham Cluley said that "as with the LinkedIn breach, eHarmony users' passwords were exposed in the form of hashes. In this case, the hashes of 1.5 million eHarmony passwords were uploaded to websites, where hackers were encouraged to join forces to crack them."
Cluley criticized eHarmony for not urging users who used their eHarmony passwords on other websites to change them immediately. "Doing so is a recipe for disaster - because if you get hacked in one place, all of your other online accounts at other sites which use the same password could fall shortly afterwards," he wrote.
McAfee had a similar warning. "A secure passphrase may be the only thing standing between your personal data and those that wish to steal it," said Jim Walter, manager of McAfee's Threat Intelligence Service (MTIS). "Password maintenance is simply an unavoidable best practice in today's digital world."
Walter urged all users of LinkedIn, and presumably eHarmony, to change their passwords, regardless of whether they were involved in the hack.
LinkedIn, meanwhile, touted "enhanced security we just recently put in place, which includes hashing and salting of our current password databases." That basically makes it a bit harder for the hackers to decipher the passwords, though not impossible.
Security firm F-Secure noted, "when an attacker has your salt values and code, the only thing that is protecting user accounts is the strength of passwords they are using, and people are not very good sources of entropy. By combining dictionary attack and brute force techniques it will not take very long to break a significant proportion of passwords, even for a large site with many accounts."