LinkedIn Tells Users to Change Passwords, Confirms Breach
Update: LinkedIn confirmed the breach, saying it had isolated the compromise accounts and notified users. It will now “salt” its passwords to make them more secure.
It seems likely that LinkedIn has suffered a breach of millions of user passwords, but the company says it hasn’t been able to confirm that’s the case — even some eight hours after it first came to light.
Following widespread reports today that 6.5 million unique passwords had been published online by a Russian hacker, LinkedIn is now adding its official voice to the chorus of people telling users to change their passwords. While it has so many eyes watching its blog and Twitter account for updates, the company just now told users to choose strong, unique passwords and to change them regularly.
The passwords were originally posted two days ago, but news of their ties to LinkedIn looks to have first come out about eight hours ago in a Norwegian paper.
There are two main indicators that the passwords are from LinkedIn: First, thousands of them contain the word “Link” or “LinkedIn”; second, many people — including security researchers — have tweeted or blogged that they have found their own unique LinkedIn passwords in the batch.
The data dump also included about 1.5 million passwords that similarly indicate they may be from eHarmony.
It is reportedly likely that the list was focused on particularly strong passwords that the hacker wanted help with cracking.
The LinkedIn passwords were guarded only with simple “unsalted” hashing called SHA-1, which security experts say is a weak defense.
News of the likely password breach came after concern yesterday about LinkedIn’s new iPhone app feature that sends calendar information to its servers. That’s a less-serious concern, as the opt-in feature is explicitly about matching calendar items with LinkedIn profile data. However, LinkedIn made some modifications today to address user concerns.