By Jeremy C. Owens, San Jose Mercury News –
SAN JOSE, Calif. — LinkedIn admitted Wednesday that a hacker managed to steal millions of users’ passwords and post them to the Web, leading the Mountain View, Calif., professional-networking service to lock up accounts with stolen passwords.
A user uploaded almost 6.5 million passwords to a Russian Web forum, claiming that they were from LinkedIn. While the list that was uploaded to the forum did not include user names, that does not necessarily mean whoever managed to extract the passwords did not also obtain the corresponding email addresses that match those accounts.
After investigating for most of the day Wednesday, LinkedIn Director Vicente Silveira said in a blog post confirmed “that some of the passwords that were compromised correspond to LinkedIn accounts.”
Customers whose passwords were verified as stolen will immediately have their passwords invalidated, Silveira wrote, and receive an email with instructions on how to reset it.
Those account holders will also receive a second email from the company’s customer service team with further explanation and details, Silveira wrote.
“We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously,” he concluded.
The uploaded passwords are encrypted, and the hacker who uploaded them was reportedly seeking assistance in unlocking them. But the British Web security consultant who originally detailed the posted passwords said an investigation showed the passwords to be legitimate, and suggested that LinkedIn customers change their passwords immediately.
The consultant, Graham Cluley of web security company Sophos, wrote in his original blog post that “although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals.”
Some users also reported on Twitter that they had found their encrypted, or “hashed,” passwords on the list.
Marcus Carey, a security researcher at Boston-based Rapid7, told Reuters he was “highly confident” that hackers had wormed their way inside LinkedIn’s network for several days, based on his analysis of the data posted on the forums.
“While LinkedIn is investigating the breach, the attackers may still have access to the system,” Carey warned. “If the attackers are still entrenched in the network, then users who have already changed their passwords may have to do so a second time.”
LinkedIn claimed more than 161 million users at the end of its most recent quarter, on March 31, and said at the time that two new members were signing up every second.