LinkedIn has confirmed that some of the roughly 6.45 Million (yes Million) user passwords that were stolen by a Russian hacker and posted in a forum (where he asked for help in decrypting them) do correspond to LinkedIn accounts. The breach has come on the heels of recent issues with their mobile app. This caused quite a stir and has caused a few people to stop using the mobile app completely.According to the acknowledgement from LinkedIn they are still not sure how the breach happened (at least they are not releasing the information now). LinkedIn has put up a Blog post about this with more information and what their next steps are as well as to remind users how to secure their accounts. The advice is great, but in this case would not have helped any one as the hashed passwords were what the hacker managed to grab. This means that once the break the encryption they will have your login information even if you are using the most complex password you can setup.
LinkedIn is also saying that they are taking preemptive steps for users that are identified as part of the group.
Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.
These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.
Fortunately they will also check to see if the password has been updated properly before they lock out the accounts with a reset password.
It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.
This is good news to see LinkedIn confirm the issue and that they are working to deal with it (including hashing and salting passwords). Unfortunately these are things that they probably should have been doing all along, but probably did not feel the need to spend the time, money and effort even though putting these items in place are not that much of an expense.
We will continue to follow this and update you with any new information we can get.
Discuss this in our Forum
