Reportedly 6.5 million LinkedIn accounts have been compromised and their passwords posted to a Russian forum. One user uploaded nearly 6.5 million passwords to a forum claiming it as LinkedIn member passwords, no usernames were posted though, but it could be that both user names and passwords are stolen.
The passwords are posted to seek help cracking those encrypted password hashes, it could be a hoax also. LinkedIn on it’s part is investigating the hack and posted to Twitter about the same, but LinkedIn couldn’t confirm the hack till now. Some people on twitter are already saying that their real password hashes are there in the list. Many of the hashes reveal “linkedin” as the password used, that adds some credibility to the list. In any case this is the time for you all to update your LinkedIn passwords, even if you haven’t visited the site since long time, now is the time to do it.
Our team continues to investigate, but at this time, we’re still unable to confirm that any security breach has occurred. Stay tuned here.
— LinkedIn (@LinkedIn) June 6, 2012
LinkedIn is using unsalted SHA-1 algorithm to for storing passwords as hashes. SHA-1 can be cracked if the user uses a dictionary password instead of a secure password. Salting will make it harder for cracking the passwords. Salting is done by adding a random string or number to the password and generate a hash, so it becomes hard to crack the password hashes.
LinkedIn is in news this morning about how it transmits full meeting notes from its iOS app to its servers.
Update: LinkedIn responded on it’s blog
We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts.
It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.