If you’re a LinkedIn user, do yourself a favor and change your password right now — according to a new report from Dagens IT, nearly 6.5 million encrypted LinkedIn passwords were recently dumped onto a Russian hacker forum.
The news comes right on the heels of yet another user security kerfuffle, as the most recent LinkedIn for iOS update was found to transmit users’ meeting notes back to LinkedIn servers without their permission.
Of the millions of passwords dumped, Dagen IT claims that nearly 300,000 of them have been decrypted so far and that number seems sure to grow as users spread that hefty file around.
The passwords are stored as unsalted SHA-1 hashes, and multiple reports on Twitter indicate that users have found their own hashes buried in the massive text dump. While unsalted hashes are much less secure than their salted brethren, it still takes a non-trivial amount of time to decrypt unless a user opted to use a common dictionary word as their password. It’s currently unknown whether or not the email addresses that correspond to those passwords have also been dumped, though if they are in someone’s possession, they apparently don’t feel like sharing.
Considering that LinkedIn reported back in February that 150 million people use the professional networking service (a number that has certainly grown since then), the breach represents a relatively small number of users. Though chances are slim that you yourself are personally affected — 6.5 million people makes up less than 5% of LinkedIn’s userbase — those odds seem unlikely to assuage the concerns of people who are.
For what it’s worth, LinkedIn has just acknowledged that they are aware of these reports, though their most recent tweet doesn’t offer up any additional information:
UPDATE: LinkedIn has just taken to Twitter again to say that after a bit of investigation, they are “still unable to confirm that any security breach has occurred.” Stay tuned for further updates.