LinkedIn has not had a good run at user privacy over the last few days, first a report began circulating in which LinkedIn was violating its own user privacy policy by sending detailed calendar entries to its servers and now 6.46 million encrypted LinkedIn passwords are believed to have been stolen and potentially leaked online.
News of the hack comes from a Russian forum user who claims they hacked LinkedIn and downloaded the passwords, that user then posted the encrypted passwords without usernames as proof of their hack.
LinkedIn utilizes SHA-1 cryptographic hash functions which are found in SSL and TLS security protocols. While that method is considered “relatively” secure” it is not fool proof. Apparently LinkedIn passwords were being stored as unsalted hashes which makes them easier to decipher using pre-computed rainbow tables.
Essentially someone with the right resources which are relatively cheap to obtain can crack the passwords in a short period of time once they are obtained.
LinkedIn has not yet confirmed or denied the hackers claims but rather tweeted that they are looking into the potential security breach.
As with any potential or real security breach it is recommended that users access their LinkedIn accounts as soon as possible. For users who use the same password for their banking and other online accounts it is also smart to change those passwords to avoid further security breaches on your personal accounts.
Here’s the full tweet from LinkedIn, feel free to follow the social networks Twitter account to stay up-to-date on security issues and other LinkedIn news:
Our team is currently looking into reports of stolen passwords. Stay tuned for more.
— LinkedIn (@LinkedIn) June 6, 2012
Update: Even more bad news for LinkedIn users today. The LinkedIn App for iPad and iPhone users is sending unsecured, plain text information from your calendar to company servers. FIND OUT MORE HERE .
