LinkedIn is investigating reports that millions of user passwords have been breached and posted on a Russian hacker forum.
The post allegedly contains a file that lists roughly 6.45 million SHA-1 hashed but unsalted passwords of LinkedIn users. Usernames were not included.
"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts," blogged Vicente Silveira, director at LinkedIn.
"We are continuing to investigate this situation, and here is what we are pursuing as far as next steps for the compromised accounts: Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any Website by following a link in an email. These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords."
The compromise of a LinkedIn account has three important ramifications, said Carl Leonard, senior manager of security researcher at Websense.
"First, the key concern is the bad actors taking advantage of trust," he said. "If you are linked to a trusted colleague, you are more likely to click on a malicious link sent from them, which may open the door to targeted attacks and confidential data theft."
"Second, because many LinkedIn accounts are tied to other social media services, such as Facebook or Twitter, posts with malicious links can also be propagated to a larger audience," Leonard said. "And lastly, many of us are creatures of habit and have the same password for multiple accounts. The consequences of a breached password could be extrapolated across email, social media, banking accounts and mobile phone data."
Recent research performed by Trustwave SpiderLabs found that in a group of more than 2.5 million passwords that were analyzed, variations on the word password made up more than 5 percent of passwords, and the most common password used by global businesses is Password1 because it satisfies the default Microsoft Active Directory complexity setting.
Anyone using the same password on another Website or service should change their password there as well, said Marcus Carey, security researcher with Rapid7.
Everyone should stand by for further information from LinkedIn on the compromise," he said. "By all indications it doesnt appear that LinkedIn has contained the compromise yet, so everyone should be aware that they may have to change their passwords multiple times. You should still go ahead and change it straight away, but you may have to change it for a second time if it turns out the attackers are still entrenched in LinkedIns systems.
The reports of the password hack came at an inopportune time, as LinkedIn is dealing with criticism about a privacy lapse tied to its mobile calendar feature. Security researchers Adi Sharabani and Yair Amit discovered LinkedIn's iOS app collects information such as passwords and meeting notes from calendar entries and transmits it back to the company's servers.
"For those not familiar with our calendar feature, with your permission, we sync with your mobile devices calendar to provide information about the people you are about to meet by showing you their LinkedIn profile," Joff Redfern, LinkedIn's head of mobile products, explained in a blog post.
"In order to provide our calendar service to those who choose to use it, we need to send information about your calendar events to our servers so we can match people with LinkedIn profiles," he continued.
"That information is sent securely over SSL [Secure Sockets Layer], and we never share or store your calendar information. In an effort to make that algorithm for matching people with profiles increasingly smarter, we pull the complete calendar event, including email addresses of people you are meeting with, meeting subject, location and meeting notes."
According to Redfern, the company will no longer send data from the meeting notes section of users' calendar events. The changes are already live for Android users and will be rolled out to Apple iOS users shortly.