LinkedIn confirms probe of possible breach that may have exposed 6.5 million user passwords

“Our team continues to investigate, but at this time, we’re still unable to confirm that any security breach has occurred. Stay tuned here”, LinkedIn said in a Twitter message.

IT security and data protection firm Sophos said that its researchers have observed a file containing close to 6.5 million unsalted password hashes posted on the internet, and hackers are currently working to crack them. Sophos researchers have confirmed that the file contains LinkedIn passwords, but not associated email addressses.

“It would seem sensible to suggest to all LinkedIn users that they change their passwords as soon as possible as a precautionary step”, said Graham Cluley, senior technology consultant at Sophos. “Of course, make sure that the password you use is unique – in other words, not used on any other websites – and that it is hard to crack. If you were using the same passwords on other websites, make sure to change them too. And never again use the same password on multiple websites.”

Commented Orlando Scott-Cowley, a security expert at cloud email firm Mimecast: “While a data leak of this kind would be very worrying for individuals, a security issue with LinkedIn could also be very potentially damaging for businesses. With many users seeing the site as an extension of their business communications, rather than as a personal tool, employers need to be aware about the possible threat to corporate data that a LinkedIn breach could represent.”

Security researcher Mikko Hypponen advised LinkedIn users: “First change your LinkedIn password. Then prepare for scam emails about LinkedIn password changes, linking to phishing sites.”

What’s hot on Infosecurity Magazine?