LinkedIn Hacked


Editor's Note: For more on this story, read Lessons From The LinkedIn Password Attack.

Over 6.4 million LinkedIn passwords were recently posted on a Russian hacker forum -- but the company hasn't yet confirmed that it was breached.

"'Our team continues to investigate, but at this time, we're still unable to confirm that any security breach has occurred,' said Erin O'Harra, a public relations associate at LinkedIn in response to a request for information," writes SearchSecurity's Robert Westervelt.

"Investigations by Sophos researchers have confirmed that the file does contain, at least in part, LinkedIn passwords," writes Sophos' Graham Cluley. "As such, it would seem sensible to suggest to all LinkedIn users that they change their passwords as soon as possible as a precautionary step."

"It's worth noting that the passwords are stored as unsalted SHA-1 hashes," writes The Verge's Aaron Souppouris. "SHA-1 is a secure algorithm, but is not foolproof. LinkedIn could have made the passwords more secure by 'salting' the hashes, which involves merging the hashed password with another combination and then hashing for a second time. Even so, unless your password is a dictionary word, or very simple, it will take some time to crack."

"It looks as though some of the weaker passwords -- around 300,000 of them -- may have been cracked already," writes ZDNet's Zack Whittaker. "Other users have been seen reaching out to fellow hackers in an apparent bid to seek help in cracking the encryption. Finnish security firm CERT-FI is warning that the hackers may have access to user email addresses also, though they appear encrypted and unreadable."

"It's also important to be aware of suspicious emails in the next few days that claim to be from LinkedIn," writes SecurityNewsDaily's Matt Liebowitz. "Phishing scams will invariably pop up in an attempt to trick you into entering a new password on a site that looks like LinkedIn, but is actually a clever spoof. When you change your LinkedIn login details, do it directly on LinkedIn's site and not from a link in an email."

Editor's Note: For more on this story, read Lessons From The LinkedIn Password Attack.