Update: LinkedIn has confirmed that user passwords were stolen.
If you have a LinkedIn profile, go change your password right now: A reported 6.5 million hashed and otherwise encrypted LinkedIn passwords have leaked onto the Web. And yours could be one of them.
Unfortunately for the professional social network (and its users), the massive security breach isn’t the only bad news. The LinkedIn iOS app has also come under fire for sending users’ full meeting notes and calendar details to the company in the highly un-secure plain text format.
The two situations, while both linked to user security, are unrelated.
LinkedIn password leak
The massive password leak, first reported by Norwegian technology site Dagens IT and later confirmed by other cybersecurity experts, occurred two days ago, when someone posted the cache of encrypted passwords to a “Russian hacker website.” The poster asked that other users help decrypt the passwords.The leak was confirmed by security expert Per Thorsheim, who spoke with Dagens IT, and warned users of the breach via Twitter.
In a tweet, LinkedIn indicated that it is “currently looking into reports of stolen passwords,” and will update users shortly.
UPDATE: At approximately 8:30am PT, LinkedIn said on Twitter that its team “continues to investigate, but at this time, we’re still unable to confirm that any security breach has occurred.” For the most recent updates on the situation, follow the @LinkedInNews account on Twitter.
UPDATE 2: In a blog post, LinkedIn Director Vicente Silveira says that the company “is still unable to confirm that any security breach has occurred,” but recommends that users change their passwords while they continue their investigation. He also provides good advice for how to create a secure password.
At the time of this writing, some 300,000 of the 6.5 million encrypted passwords have been cracked, meaning those users are now vulnerable to a variety of attacks. But that number is sure to rise as more hackers take a stab at the list.
LinkedIn currently has more than 150 million users, so it’s not guaranteed that your account is compromised, though it would be prudent to assume as much. Furthermore, breaches like this often result in a wave of scam emails, posing as messages from LinkedIn about the breach, so be wary of any emails that appear to have come from the social network. It’s best to simply log into the site directly by typing the address into your browser, and change your password from there. And if you use your LinkedIn password across multiple services, be sure to change those passwords too, as they could also be compromised. In fact, you should stop using the same password for multiple accounts altogether — that’s a big security no-no.
iOS app privacy concerns
Before news of the password leak landed on LinkedIn’s doorstep early this morning, The Next Web reported that the service’s iOS app for iPhone and iPad sends a variety of information, including meeting notes and other details, to LinkedIn’s servers in plain text format, an unsecure data transfer method. The information is only relayed if users have the calendar viewing feature enabled.
The potentially problematic practice of sending private data in plain text to LinkedIn’s servers was uncovered by Israeli security researchers Yair Amit and Adi Sharabani of Skycure Security.
LinkedIn has since responded to The Next Web report, confirming the practice, though the company says that it does not “store any calendar information on its servers,” nor does it “share or use your calendar data for purposes other than matching it with relevant LinkedIn profiles.” The company also said that it “will no longer send data from the meeting notes section of your calendar event,” given that this part of the practice seemed the most troublesome to users. Email addresses, names, meeting subject, and location will still be sent to LinkedIn.
Updated with additional information at 8:30am PT and 11:15am PT.