June 6, 2012 at 12:30 PM ET
With lawmakers in Washington D.C. expressing concern, LinkedIn confirmed Wednesday afternoon via its blog that user passwords had been compromised. The business networking site, however, did not address whether the number of passwords stolen equaled the more than 6.5 million reported earlier in the day. Meanwhile, 1.5 million passwords belonging to users of online dating site eHarmony may also have been stolen, perhaps by the same hacker who attacked LinkedIn.
ArsTechnica had a security expert crack some of the passwords, and he made the linkage between the two hacks.
"After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected," said eHarmony on a blog Wednesday. "We are continuing to investigate but would like to provide the following actions we are taking to protect our members." Those actions include re-setting "affected" members' passwords, and offering tips on how to create a more secure password.
Both LinkedIn and security experts advised Wednesday that LinkedIn users change their passwords as soon as possible.
LinkedIn director Vicente Silveria wrote:
We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.
These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.
Earlier in the day, Sophossecurity firm reported that the files posted on a Russian hacker site docontain LinkedIn passwords. "A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the internet, and hackers are working together to crack them," wrote Graham Cluley, Sophos senior technology consultant. "Although the datawhich has been released so far does not include associated email addresses, itis reasonable to assume that such information may be in the hands of thecriminals,"
All LinkedIn membersshould take precautionary measures and change their passwords immediately, Cluley advised, and provided the followinginstructions:
- Log into LinkedIn.
- You should see your name in the topright hand corner of the webpage. Click on it, and you will open a drop-downmenu. Choose "Settings".
- Choose the option to change yourpassword.
- After entering your old password, youwill have to enter your new (hopefully unique and hard-to-crack password)twice.
If you access LinkedIn via your Facebook account, take the extra precaution of changing your Facebook password as well. Further, if your LinkedIn password is the same one you use for any other accounts, change those as well -- hackers will often try out a password on several accounts, since so many people are in the (bad) habit of using just one.
Both Sen. Patrick Leahy D.-Vt. and Rep. Mary Bono Mack R-Calif. cited the incident as evidence that Congress should pass data-security legislation, The Hill reports, noting that both lawmakers have sponsored data-security bills in the past.
In a statement provided to The Hill, Sen. Patrick Leahy said, "Reports of another major data breach should give pause to American consumers who, now more than ever, share sensitive personal information in their online transactions and networking."
According to Sen. Bono, ""Nothing threatens e-commerce more than a lack of consumer confidence, and today a lot of people are becoming very antsy about providing their personal information online,” she said in a statement."
News of the possibleLinkedIn password leak comes less than 24 hours after mobile securityresearchers revealed that the LinkedIn mobile app is able to access subscribermeeting notes.
"The app doesn’tonly send the participant lists of meetings; it also sends out the subject,location, time of meeting and more importantly personal meeting notes, whichtend to contain highly sensitive information such as conference call detailsand passcodes," writes Skycure Security researcher Adi Sharabani on thecompany's blog. "If you have decided to opt-in to this calendar feature iniPhone, LinkedIn will automatically receive your calendar entries and willcontinue doing so every-time you open your LinkedIn app."
In a blog post responding to the mobile app flap, LinkedIn mobile product head Joff Redfern emphasizes thatuser information used to sync the calendar app "is sent securely over SSL and we never share or store yourcalendar information" and that LinkedIn does not "under anycircumstances access your calendar data unless you have explicitly opted in tosync your calendar."
In response to the SkycureSecurity findings, Redfern added that LinkedIn "will improve" thefollowing:
- These improvements are live on Android now and have been submitted to the Apple store and will be available shortly.
- There will be a new “learn more” link to provide more information about how your calendar data is being used.
- We will no longer send data from the meeting notes section of your calendar event.