6.46 million LinkedIn passwords leaked online

6.46 million LinkedIn passwords leaked online

Summary: More than 6.4 million LinkedIn passwords have leaked to the Web after an apparent hack. Though some login details are encrypted, all users are advised to change their passwords.

TOPICS: Security

A user on a Russian forum has claimed to have downloaded 6.46 million user hashed passwords from LinkedIn.

It looks as though some of the weaker passwords --- around 300,000 of them --- may have been cracked already. Other users have been seen reaching out to fellow hackers in an apparent bid to seek help in cracking the encryption.

Finnish security firm CERT-FI is warning that the hackers may have access to user email addresses also, though they appear encrypted and unreadable.

One ZDNet reader said they had searched the cache and and found their their password. It has been reported that the passwords were encrypted using the SHA-1 algorithm --- which has been known for its flaws --- but unless a password is weak, it may take a while to decrypt the remaining cache.

LinkedIn has more than 150 million users worldwide. This apparent hack appears to affect less than 5 percent of its user base. It's not clear if any more users are affected outside this figure, but today's events will strike a damaging blow to the 'professional' social network's reputation.

It is advised users change their passwords as a precautionary measure. Having said that, some readers are reporting that the password reset feature is being "overwhelmed" by visitors; naturally, considering the circumstances.

Update 1: LinkedIn said it was "looking into reports of stolen passwords."

Update 2: LinkedIn said it "continues to investigate" but is "unable to confirm that any security breach has occurred."

Update 3: LinkedIn confirmed it has suffered a breach leading to a leaked cache of user account details, but did not explain how the data was accessed. The company has disabled affected accounts and emailed account holders with details of how to reset their password. CNET's Elinor Mills has more.


Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Way to go. Got no notice from them at all.

    So much for "professional".
    • need to check site to get notice

      I guess they are only "warning" customers that actually use the system regularly. It was on the home page to change your password and linked to this article.

      Something of this magnitude should have its own email notice.
      • Was it an update from Linkedin you saw?

        Hey there, I spotted two articles on my home page under the "LinkedIn Today, Headlines" but these are to external publications like this ZDNet article rather than being a specific alert from LinkedIn.
      • I agree

        Though, there's a problem. Either take the proactive email-out warning users to change their password, but this could panic users -- or take time and stock to work out what's going on before making any decisions. I agree, LinkedIn probably should invoke a mandatory password change something sooner rather than later, but it has to work out exactly what's gone on.

        The only word from the company so far is via Twitter.
      • Email AND mandatory change at log in...

        The high security I would expect from LinkedIn would require nothing less than this type if mandatory change in pass-code used by banking institutions and credit card sites.
    • Root cause

      Or maybe they're holding off until they can identify the root cause of the breach. Changing the password before this is fixed can give users a false sense of security since the bad guys can reaquire the updated hash file.

      For now I'd change password across sites that you reused the password on, then give linked in a unique special password that's not reused anywhere.
  • Strange functionality

    Changed my LI password via my pc....
    However, the old one still works on my iPad app :(
  • SHA-1 Decrypt Speed Incorrect

    > it may take a while to decrypt the remaining cache.

    Based on [this](http://www.golubev.com/hashgpu.htm) that is incorrect:

    > 2300M/s SHA1 hashes

    That's 2,300,000,000 passwords per second. That highly suggests that given a small [sum of money](http://codahale.com/how-to-safely-store-a-password/) you could decrypt all of them in a very short period of time.
  • 73% of people use the same password for everything...

    I was just at a privacy conference in Austin and the biggest take away was that hackers understand that a large majority of people use the same password for everything and a good number use the same ID & password so rather than hack a bank that has invested heavily in security, they'd rather hack a site with a large number of users to get the ID and/or password then they've got the keys to the bank. Scary stuff.
    • Yep

      That's why I always encourage people to have bank and email passwords that are seperate from all other accounts and passwords.

      A lot of people don't make the connection, but seperate email passwords are as critical as financial account passwords. If they get into your email they can often change your password to everything.
  • 6-character passwords....

    linkedin still allows six (and seven) character passwords. epic fail....
  • Linkedin uses Open Source Apache Traffic Server and other components

    Why didn't the Linux Security Module prevent this exploit? Color me confused.
    Your Non Advocate
  • Damn

    Linkedin is getting a special password for now. If they can't figure out how the breach occurred the new password may be breached again.

    I'd change the password on any site you reused the password on to something else. I generally keep bank, email (since you can passwd reset), shopping, etc categories of sites use different passwords. It prevents elevation from social networking site or forum creds to bank creds.
  • I canceled my LinkedIn A few moths ago

    I never seen any tangible results using LinkedIn most of my jobs I got via posting on Monster except a huge amount of spam due to my address getting compromised. As an olde tech worker I try to leave few trails as necessary (No Facebook and anonymous avatars or user names.
  • No notice, but changed password.

    No notice, but changed password. Thanks for the tip.
  • Original hash file

    Here you can find the original file with hashes (many of them seem to be edited with '00000' in the beginning...
  • linkedin passwords leaked

    1. The admins at Linkedin can fix this in a short time if they know anything about security there is no magic required.2. Linkedin is a great place for work based networking and I hope it continues
  • Needs a Little "Salt" and/or "Pepper"

    Not sure if it was mentioned, but I believe I read somewhere they were using simple hashed passwords.
  • Bad Grammar

    Hi Zack Whittaker...

    My pet peeve in professionally written news stories is bad grammar. For example, the 4th paragraph starts with this sentence: "One ZDNet reader said they had searched the cache and and found their their password."

    "Reader" is a single subject but you used plural pronouns "they" and "their" in the sentence. Such an error shouts "Error" and usually overshadows whatever the author is trying to say. (I have assumed the ???and and??? and "their their" were typos - a subject for a different rant.) You are a professional. Please. Please. Please, maintain case consistency.

    Thank you...
    "Happy" Jack
    • OMG.

      Personally speaking, [i]my[/i] pet peeve is posters who contribute nothing to the discussion but moan and whine about other people's spelling and grammer instead.

      See h-t-t-p : // www.albion.com/netiquette/corerules.html, Rule 10