LinkedIn confirmed on Thursday that approximately 6.5 million hashed LinkedIn passwords were leaked, and that a “small subset of the hashed passwords was decoded and published.” According to Sophos, the number of decrypted LinkedIn passwords is actually closer to 60 percent.
On Wednesday reports surfaced that millions of hashed user passwords were posted on a Russian forum where the hacker asked for help decrypting them. At the time, LinkedIn said it was unable to confirm if a security breach had happened.
The majority of hosting companies and employees have LinkedIn accounts, and websites of all sizes use LinkedIn as one of the social networks to drive traffic to their sites. With at least 161 million members, 6.5 million accounts for about four percent of users.
LinkedIn has used its blog and Twitter to keep users updated on the status of the investigation, which now involves the FBI. Still, the posts are vague and updates sparse. It is still unclear how the passwords were taken in the first place, and when the initial breach occurred.
A report by ZDNet suggests if LinkedIn had a chief information officer or a chief information security officer, it may have foreseen a security issue since there appears to be no person at the top of the chain of command leading risk management or information security strategy. Security roles are a vital part of an online social network management team, and really, any business that has access to personal information of users online.
In a blog post on Thursday, LinkedIn says it locked down and protected the accounts associated with the decoded passwords it believed to be at greatest risk. It invalidated those passwords and contacted the users with a message instructing them to reset their passwords.
LinkedIn also disabled the passwords of other members it believed could be potentially affected.
Its current production database for account passwords is salted as well as hashed, which LinkedIn says provides an additional layer of security.
“We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously,” Vincente Silveira, director at LinkedIn says in a blog post.
Last year, shortly after LinkedIn’s IPO, a security analyst claimed that LinkedIn is open to security flaws could allow hackers to breach users’ accounts without their password. The flaw was connected to how LinkedIn handles its cookies.
Talk back: Do you think LinkedIn is keeping its users informed enough? Have you changed your password to LinkedIn yet? Let us know in a comment.