June 9, 2012 at 7:37 PM ET
LinkedIn said Saturday that none of the 6.5 million user passwords that were stolen and published on a website have been used to get into member accounts.
In an update to users in a blog post, LinkedIn director Vicente Silveira said:
It's important to know that compromised passwords were not published with corresponding email logins. At the time they were initially published, the vast majority of those passwords remained hashed, i.e. encoded, but unfortunately a subset of the passwords was decoded. Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords. The only information published was the passwords themselves.
So far, he wrote, "we have no reports of member accounts being breached as a result of the stolen passwords. Based on our investigation, all member passwords that we believe to be at risk have been disabled."
The social networking site for professionals said Thursday it is working with the FBI to investigate how the theft occurred. LinkedIn had 161 million members worldwide, at the end of March, with 61 percent of them based outside the U.S.
Online dating site eHarmony and Internet radio site Last.fm were also dealing with password leaks last week.
Silveira said in Saturday's posting that that "those members whom we believed were at risk, and whose decoded passwords already had been published, had their passwords quickly disabled and were sent an email by the Customer Service team."
By the end of Thursday, he said. "all passwords on the published list" were disabled by LinkedIn, "regardless of whether or not the passwords were decoded. After we disabled the passwords, we contacted members with instructions on how to reset their passwords."
Pay attention if you do get an email from LinkedIn about resetting your password, and make sure it is from LinkedIn and not a phishing attempt, which will ask you to click on a link or cut-and-paste an enclosed URL in your Internet browser to confirm your email address.
As Silveira said June 6 in a blog post, "There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email."
If your password has not been disabled, based on its investigation so far, "we do not believe your account is at risk," wrote Silveira.
However, he said, it's a "good practice to change your passwords on any website you log into every few months. For that reason, we have provided information to all of our members via the LinkedIn Blog, as well as a banner on our homepage instructing members on how to change their passwords."
Silveira said LinkedIn has "built a world-class security team," and one of the company's "major initiatives was the transition from a password database system that hashed passwords, i.e. provided one layer of encoding, to a system that both hashed and salted the passwords, i.e. provided an extra layer of protection that is a widely recognized best practice within the industry."
That transition, he wrote, was done before the news of the password theft became public. "We continue to execute on our security roadmap, and we’ll be releasing additional enhancements to better protect our members," he said. Some in the security field said last week they thought LinkedIn might have "hashed," but not "salted" their passwords.