updated 04:46 pm EDT, Wed June 6, 2012
Encrypted passwords reportedly posted to Russian hacker sites
(Updated with breach confirmation from LinkedIn) Wednesday brings reports of further security woes for LinkedIn, as Norwegian site Dagens IT carries a warning that 6.5 million encrypted passwords from the professional networking site have been posted to a Russian hacker forum. The passwords are said to be in an easily-crackable encryption format, and the files posted to the hacker site may contain user data as well. LinkedIn is looking into the problem, but the company is unable to confirm the breach as of yet.
The leaked passwords are said to be "hashed,": that is, encrypted with an algorithm that turns a block of data into a fixed-size bit string such that any change to the data will also change the hash value. The problem with hashed passwords is that identical passwords will be encrypted in an identical manner; so if two users both have the password "P@$$w0rd," then cracking one means that the other is cracked as well. Security experts have reportedly been castigating LinkedIn for failing to "salt" -- add another layer of security by inserting random pieces of information into the hash -- its passwords.
LinkedIn has yet to confirm the security breach, though the company has announced in two tweets over the past few hours that it is looking into the problem. Other outlets are advising that users change passwords for their LinkedIn profile, as it is unknown exactly which users may be affected by the breach.
Should reports of the breach prove true, it would mark the second security risk for the site to emerge today. Earlier, researchers discovered that a feature in the LinkedIn mobile app for iOS gathers and transmits back unsecured data from users' calendar apps.
Update: In a post this afternoon on the LinkedIn Blog, the company confirmed that some LinkedIn account passwords had been compromised. LinkedIn has deactivated the passwords for affected accounts and sent out an email for the owners of those accounts to reset their passwords. LinkedIn's customer support team will send out a second email to affected users that will provide further information on the security breach.
Further, LinkedIn noted that the site has recently implemented improved security protocols. Passwords for LinkedIn accounts are now encrypted in a manner that includes both hashing and salting.
Our team is currently looking into reports of stolen passwords. Stay tuned for more.-- LinkedIn News (@LinkedInNews) June 6, 2012
Our team continues to investigate, but at this time, we're still unable to confirm that any security breach has occurred. Stay tuned here.-- LinkedIn News (@LinkedInNews) June 6, 2012