Security breaches at LinkedIn and eHarmony have highlighted an escalation in attacks on social networks from hackers seeking to exploit personal data, according to security firms.
The professional networking and dating sites have both confirmed that "some" of their users' passwords have been stolen. They have not disclosed how many but security experts said hackers have posted a total of 8 million encrypted passwords online, the bulk of which came from LinkedIn.
LastFM, a U.K.-based social network focused on music owned by CBS, on Thursday also admitted some of its users' passwords had been stolen. Like LinkedIn and eHarmony, it advised users to change passwords.
Experts called the LinkedIn hack "one of the largest we've seen," and a sign that cybercriminals are showing an increasing preference for targeting social networks, including Facebook, Twitter and Pinterest.
"Now they've switched over to social networks," said Graham Cluley, senior technology consultant at Sophos, a security research firm. "The anti-spam features on these sites are nowhere near as mature as places like Hotmail and Gmail."
In April, social networks replaced financial organisations as the top target of phishing attacks – according to data from Kaspersky Lab. Phishing campaigns are spoof e-mails or spoof social networking messages that impersonate a business like LinkedIn in order to trick people to hand over their e-mail address or password or other personal information.
Kaspersky Lab estimates social networks accounted for 28.8 per cent of phishing attacks in April, a 6 per cent increase from March, due mainly to a surge of attacks on Facebook users.
The cause of this week's hacks are still unknown. LinkedIn has since added enhanced security features to its encryption process, a move Mr. Cluley said they "should have been doing earlier."
Mr. Cluley also said the openness of social networks to external programmers who develop applications left them more vulnerable to hackers. In addition, the personal nature of social networks makes it easier for criminals to impersonate someone, using their name and photo to contact their friends and work colleagues.
"If I get a message from someone who is a LinkedIn contact of mine, I'm much more likely to respond," said David Emm, senior security researcher at Kaspersky Lab. "They're using it as a layer of trust to spread their malware."
Cybercrime on social networks is turning into its own industry, said Jim Walter, manager for McAfee Threat Intelligence Service, as criminals hire underlings to generate more traffic and even ad revenue from these sites through automated botnets, or a collection of compromised computers.
"There's a whole underground economy around LinkedIn bots, Pinterest bots, Facebook bots, you name it," he said.