The user uploaded 6,458,020 hashed passwords, but no usernames. It's not clear if they managed to download the usernames but it's likely that both have been downloaded. There is a possibility that this could be a hoax, but several people have said on Twitter that they found their real LinkedIn passwords as hashes on the list. Many of the hashes include "LinkedIn," which seems to add credence to the claims.
"Our team continues to investigate, but at this time, we're still unable to confirm that any security breach has occurred,” the company said on Twitter feed.
It's worth noting that the passwords are stored as unsalted SHA-1 hashes. SHA-1 is a secure algorithm, but is not foolproof. LinkedIn could have made the passwords more secure by 'salting' the hashes, which involves merging the hashed password with another combination and then hashing for a second time.
Two security firms, Sophos and Rapid7, told CIO Journal they were able to confirm the breach by searching for the known passwords of colleagues within the massive file they say has been spreading through other hacker forums.
Graham Cluley, a consultant with UK Web security company Sophos, recommended that LinkedIn users change their passwords immediately. Before confirming the breach, LinkedIn issued security tips as a precautionary measure. The company said users should change passwords at least every few months and avoid using the same ones on multiple sites. LinkedIn also had suggestions for making passwords stronger, including avoiding passwords that match words in a dictionary. One way is to think of a meaningful phrase or song and create a password using the first letter of each word
Considering that LinkedIn reported back in February that 150 million people use the professional networking service (a number that has certainly grown since then), the breach represents a relatively small number of users. Though chances are slim that you yourself are personally affected — 6.5 million people makes up less than 5% of LinkedIn’s userbase — those odds seem unlikely to assuage the concerns of people who are.
April 22, 2013, 5:55 am UTC
April 4, 2013, 5:21 am UTC
March 29, 2013, 4:57 am UTC
March 15, 2013, 7:02 am UTC