Pages

Monday, June 11, 2012

Hackers Reportedly Access 6 Million LinkedIn Passwords

LinkedIn for iPad

Hackers have managed to access more than 6 million LinkedIn passwords, according to data posted online.

As reported by The Verge, a user in a Russian forum uploaded 6,458,020 hashed passwords. It's unclear if usernames were involved.

"Our team is currently looking into reports of stolen passwords. Stay tuned for more," LinkedIn tweeted earlier today. Later, it said that its team "continues to investigate, but at this time, we're still unable to confirm that any security breach has occurred."

As of March 2012, LinkedIn had about 161 million members, so the hack affects about 0.04 percent of the enterprise social network's users.

As The Verge pointed out, meanwhile, the passwords were stored as unsalted SHA-1 hashes, which means hackers will still have to do a little work to get at the actual passwords.

In a blog post, Sophos analyst Graham Cluley speculated that "hackers are [already] working together to crack them," and urged LinkedIn users to change their passwords immediately.

"Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals," Cluley continued.

Reports of the password hack came the same day that LinkedIn pledged to better secure its mobile calendar function. LinkedIn's calendar offering syncs with your device's calendar to serve up the LinkedIn profile of people you are about to meet.

To do that, certain information about your calendar events are sent to LinkedIn's servers. The company insisted that the data is "sent securely over SSL and we never share or store your calendar information," but recent reports about the process suggested that some users might not be comfortable with giving LinkedIn access to this data.

As a result, LinkedIn pledged to no longer collect information in the notes section of your calendar. The company will also place a "learn more" link with its calendar service with more information about how your data is used.

The updates are currently live on Android and should be rolled out to iOS "shortly," LinkedIn said.

A similar issue affected San Francisco-based startup Path earlier this year after a blogger discovered that the Path iPhone app was uploading users' entire address books, including full names, emails and phone numbers, without permission. Path later anonymized that data.

The problem was not limited just to Path, however, prompting companies like Instagram and Twitter to update or clarify their policies. Two members of Congress penned a letter to Apple asking the company for more information about iOS apps that access users' contact lists.

For more from Chloe, follow her on Twitter @ChloeAlbanesius.

For the top stories in tech, follow us on Twitter at @PCMag.