UPDATE Professional social networking site LinkedIn announced early Wednesday morning that it was looking into reports of stolen passwords, according to a post on their Twitter page.

The tweet substantiates reports by several news outlets that a hacker was able to download the hashed passwords of 6.46 million members from the site. The cache of passwords was posted onto a Russian web forum, InsidePro, where hackers are being encouraged to help decipher the reportedly unsalted SHA-1 hashes.

While the alleged breach would only affect less than 5 percent of LinkedIn’s 150 million plus members, countless security firms are pushing users of the site to change their passwords.

The Santa Monica-based social network has had a tough go of it latey. Earlier this week, the company caught flak after its mobile application was found transmitting information from users’ calendar apps, including full meeting notes, locations, participants, passwords and dial-in phone numbers, in plain text. The mobile application issue is being presented by researchers Yair Amit and Adi Sharabani of Skycure Security at a cybersecurity conference (.PDF) in Tel Aviv today.

To coincide with the presentation, LinkedIn posted a blog entry earlier this morning to clarify any concerns users may have with its app’s mobile calendar feature.

The company stresses that when it sends sensitive information to its servers, it’s done with the users’ permission via SSL but claims going forward, it will no longer send data from the meeting notes section of users’ calendar events.

Last August, LinkedIn was forced to make a change in its social advertising model after users and privacy complained about an advertising campaign launched earlier that summer that paired LinkedIn members’ pictures with ads based on content from users’ profiles. LinkedIn eventually made it easier to disable the advertising option. 

UPDATE 4:30 p.m.

LinkedIn has come out and said that some of the passwords that were compromised belong to its users. In a blog post published around 3:30 p.m. on Wednesday a director at the company, Vincente Silveira, described the actions the owners of compromised accounts would have to take.

LinkedIn has rendered affected users’ passwords invalid and is in the process of sending each member two different e-mails with instructions on how to change their passwords. Additionally, it appears that affected users who change their password and those who were not affected will benefit from LinkedIn’s new “enhanced security” which entails both the hashing and salting of their passwords.

Categories: Cryptography, Hacks, Web Security

Comment (1)

  1. Anonymous

    “…in the process of sending each member two different e-mails with instructions…”

    this is just opening a round of phishing for targetted attacks….sigh

Comments are closed.