Shortly after it was reported that nearly 6.5 million LinkedIn account passwords were leaked onto the net, LinkedIn leapt into action and mounted their own investigation.
Though most of the morning was spent claiming that they could not confirm a security breach, a new announcement on their blog reveals that at least some of those leaked passwords correspond to LinkedIn accounts.
There are still plenty of unanswered questions here though. The company has yet to offer their official word yet on just how many users were impacted, how the accounts were compromised, or whether or not the email addresses that correspond with those passwords were also leaked. LinkedIn’s Vicente Silveira was quick to note that the investigation is far from over though, and with any luck they’ll soon discover and disclose those details very soon.
In the meantime, the company notes that users who have already changed their passwords (you already did, right?) or created a new account won’t have to worry, as they have recently begun hashing and salting their current password databases.
In case you’re curious about the sorts of passwords that appear in the sizable password hash dump, the team at FictiveKin have launched a tool called LeakedIn that takes a text input, hashes it with the SHA-1 algorithm, and checks it against the leaked file. So far, the usual suspects like “linkedin” and “password” are among those that have been leaked, though with passwords that weak it’s no surprise they were among the first to be cracked.
@jwherrman poor Sunep. Spelling his name backwards seemed like such an awesome password idea.—
Ross Neumann (@rossneumann) June 06, 2012
Here’s the company’s statement regarding what they intend to do for affected users:
We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.
These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.