Update: LinkedIn has responded to the issue, updating its official Twitter account to state that it is “looking into reports.” Scroll down for more information.
Already in the spotlight over concerns that its iOS app collects full meeting notes and details from a device’s calendar and sends them back to the company in plain text, LinkedIn user accounts are now said to have been compromised, with 6.5 million hashed and encrypted passwords reportedly leaked.
Norweigan IT website Dagens IT reported the breach, with 6.5 million encrypted passwords posted to a Russian hacker site. Security researcher Per Thorsheim has also confirmed reports via his Twitter feed, stating that the attackers have posted the encrypted passwords to request help cracking them.
Finnish security firm CERT-FI is warning that whilst user details have not been posted, it is believed that the attackers will have access to user data as well as their passwords.
One LinkedIn user has already confirmed his password was leaked:
btw after getting the list of @linkedin hashes and hashing my old pwd with no salt there is a match for the hash in the list
— securityninja (@securityninja) June 6, 2012
What should you do? For starters, change your password.
LinkedIn hasn’t responded to reports at the time of writing, so the breach is yet to be confirmed. However, over 300,000 passwords are said to have been decrypted, and more are being cracked as we write this. We suggest you employ good security practises and amend yours, regardless of whether you have been affected or not.
LinkedIn is home to more than 150 million users, suggesting the breach is limited to less than 10% of the professional social network’s userbase, but it will still affect a huge number of users.
The unsalted hashes use SHA-1 encryption, and while it is somewhat secure, it can still be cracked if the user employs a simple dictionary password.
Earlier today we reported that the LinkedIn iOS app collects full meeting notes and details from your device’s calendar and sends them back to the company in plain text.
The information is gathered without explicit permission by a feature that allows users to access their calendar within the app. LinkedIn has took the time to formulate an official response, noting that a new version of the app it on its way.
It also provided a list of what it does and doesn’t do with your data.
Please note that the two issues are completely unrelated.
We have contacted LinkedIn for clarification on the password breach and will update the article should we receive a response.
Update: LinkedIn has tweeted the following update from its account:
Our team is currently looking into reports of stolen passwords. Stay tuned for more.
— LinkedIn News (@LinkedInNews) June 6, 2012