LinkedIn confirms password leak

update Social networking site reveals some of the reported 6.4 million passwords stolen matched its users; is taking measures to protect users and make passwords more difficult to hack.
Written by Ellyne Phneah, Contributor

update LinkedIn has admitted it suffered a data breach resulting in user passwords being stolen. It did not verify whether the number of compromised passwords reached the reported 6.4 milllion though.

According to a blog post on Wednesday, Vicente Silveria, an engineer at LinkedIn, confirmed that some passwords were "compromised" and the company is continuing to investigate on the situation. It added that it had sent e-mails to members whose passwords were affected, explaining how to reset it since these are no longer valid on the site.

However, the social networking site did not reveal how the breach happened and how many passwords were stolen.

"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," Silveria said.

The blog post follows a report on a user on a Russian online forum claiming to have downloaded 6.4 million hashed user passwords from Linkedin, and hackers are working crack them. The post has since been removed from the site.

However, Imperva noted in a Wednesday blog post that the breach size could be bigger than the reported figure. The password files do not contain "easy" passwords so the hacker could have already figured out the easier ones, and passwords were only been listed once but multiple consumers could have had the same password, explained the security vendor.

Chester Wisniewski, senior security advisor at Sophos, added in a blog post on Wednesday that after removing duplicates, there were 5.8 million passwords available with 3.5 million of these having been "brute forced", or cracked. This means over 60 percent of the stolen passwords are now publicly known, he explained.

LinkedIn declined to respond to ZDNet Asia's queries on whether the attack is still ongoing, and whether changing of passwords is enough to protect consumers.

[UPDATE: Jun. 8, 11.00 a.m.] LinkedIn has since revealed that of the 6.5 million hashed passwords posted online, only a "small subset" of them were decoded and published while the rest remain hashed and difficult to decode. 

Silveria confirmed that, to the best of the company's knowledge, no e-mail logins associated with the passwords had been published, and they did not received any verified reports of unauthorized access to any member's account as a result of this incident.

"We are also actively working with law enforcement, which is investigating this matter," he stated.

Editorial standards