LinkedIn confirms breach of 6.4 million accounts

on Thursday, June 7, 2012

Some 6.46 million encrypted passwords of LinkedIn may have been leaked online Wednesday night, even as the professional networking site confirmed the occurrence of a security breach.
In a blog post, LinkedIn's Vicente Silveira said it continues to investigate the incident, and has taken steps for the compromised accounts.
"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation," Silveira said.
Silveira said members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
These members will also receive an email from LinkedIn with instructions on how to reset their passwords, he said.
He stressed there will not be any links in these emails, adding that for security reasons, users should never change passwords on any website by following a link in an email.
Affected members will also receive a second email from LinkedIn's Customer Support team providing more context on this situation.
"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," he added.
Silveira sincerely apologized for the inconvenience this has caused LinkedIn members.
A report on Mashable said a Russian forum user claims to have hacked LinkedIn, uploading 6,458,020 encrypted passwords without usernames as proof.
“The passwords are encrypted with the SHA-1 cryptographic hash function, used in SSL and TLS and generally considered to be relatively secure, but not foolproof. Unfortunately, it also seems that passwords are stored as unsalted hashes, which it makes it much easier to decipher them using pre-computed rainbow tables,” Mashable said.
It added this development came after reports that LinkedIn’s iOS app potentially violates user privacy by sending detailed calendar entries to its servers.
For LinkedIn users, this may mean an attacker could crack many of the passwords using very cheap resources in a relatively short time.
Mashable quoted LinkedIn as saying on Twitter that it is looking into the issue.
Finnish security company Cert-Fi has posted a warning about the incident, saying it is “likely” that whoever hacked LinkedIn possesses the accompanying user names as well.
If you’re a LinkedIn user, we recommend you change your password right now. Furthermore, if you used that password on any other online service, we recommend you change those passwords as well.
A separate article on computer security firm Sophos's website advised LinkedIn users to “change their passwords as soon as possible as a precautionary step.”
“Don’t delay. Do it now. And if there are any more updates from LinkedIn we will let you know.