LinkedIn admitted Wednesday that a hacker managed to steal millions of users'
passwords and post them to the Web, leading the Mountain View
professional-networking service to lock up accounts with stolen passwords.
A user uploaded almost 6.5 million passwords to a Russian Web forum, claiming that they were from LinkedIn. Although the list that was uploaded to the forum did not include user names, that does not necessarily mean whoever managed to extract the passwords did not also obtain the corresponding email addresses that match those accounts.
After investigating for most of the day Wednesday, LinkedIn Director Vicente Silveira said in a blog post "that some of the passwords that were compromised correspond to LinkedIn accounts."
What makes the breach particularly alarming is that it involved a relatively mature website that is used by tens of millions of people, said Phil Hochmuth, a security analyst with tech research firm IDC.
The compromise "is disconcerting," he said.
LinkedIn users who have paid for premium accounts -- a minority of its 161 million members -- run the risk of having their credit card information compromised, said security analysts. But even nonpaying LinkedIn users could be in danger.
Many consumers use the same password across multiple websites, analysts noted. So, even if they don't have financial information stored on LinkedIn, the same email address and password they use on that site could be used to access such information elsewhere.
"People need to think outside of the service," said Lawrence Pingree, a security analyst at technology research firm Gartner.
Meanwhile, users typically have a great deal of information about themselves and their associates stored in their LinkedIn accounts. That information could be used to construct very sophisticated phishing attacks.
LinkedIn users should be "double checking, making sure messages being sent to them under the guise of connections from LinkedIn ... are legitimate," said Hochmuth, adding that their data "might be used to exploit them."
Customers whose passwords were verified as stolen will immediately have their passwords invalidated, Silveira wrote, and receive an email with instructions on how to reset it.
"There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email," Silveira warned.
Those account holders will also receive a second email from the company's customer service team with further explanation and details, Silveira wrote.
"We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously," he said.
But security experts recommended that all users -- not just those alerted by LinkedIn -- change their passwords.
The uploaded passwords are encrypted, and the hacker who uploaded them was reportedly seeking assistance in unlocking them. However, the British Web security consultant who originally detailed the posted passwords said an investigation showed the passwords to be legitimate and suggested that LinkedIn customers change their passwords immediately.
The consultant, Graham Cluley of Web security company Sophos, wrote in his blog post that "although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals."
Some users also reported on Twitter that they had found their encrypted, or "hashed," passwords on the list.
Marcus Carey, a security researcher at Boston-based Rapid7, told Reuters he was "highly confident" that hackers had wormed their way inside LinkedIn's network for several days, based on his analysis of the data posted on the forums.
"While LinkedIn is investigating the breach, the attackers may still have access to the system," Carey warned. "If the attackers are still entrenched in the network, then users who have already changed their passwords may have to do so a second time."
The company's stock initially fell Wednesday after reports of the passwords' theft, even as Wall Street enjoyed strong gains. But the shares recovered by the close of trading and ended the session up 8 cents, or 0.1 percent, to $93.08.
Most Popular Stories
- Facebook, Twitter Announce Apps for Google Glass
- Will Yahoo Splurge on $1-Billion acquisition of Tumblr?
- European Car Sales up First Time in 20 Months
- 'Star Trek Into Darkness': The Return of Khan?
- Exciting Night for UFC Fans
- Teen Drivers Should Be Prepared for Any Car-Related Situation
- Google Fiber Making an Impact
- RFD-TV launches on Charter Cable
- Summer Movies Aimed at Young Men, Teen Boys
- Entrepreneurs Chase Social Media