LinkedIn: 6.5 million encrypted passwords leaked as iOS app comes under fire [Update: LinkedIn confirms breach]

linkedin-office

Update: LinkedIn has confirmed that user passwords were stolen.

If you have a LinkedIn profile, go change your password right now: A reported 6.5 million hashed and otherwise encrypted LinkedIn passwords have leaked onto the Web. And yours could be one of them.

Unfortunately for the professional social network (and its users), the massive security breach isn’t the only bad news. The LinkedIn iOS app has also come under fire for sending users’ full meeting notes and calendar details to the company in the highly un-secure plain text format.

The two situations, while both linked to user security, are unrelated.

LinkedIn password leak

The massive password leak, first reported by Norwegian technology site Dagens IT and later confirmed by other cybersecurity experts, occurred two days ago, when someone posted the cache of encrypted passwords to a “Russian hacker website.” The poster asked that other users help decrypt the passwords.The leak was confirmed by security expert Per Thorsheim, who spoke with Dagens IT, and warned users of the breach via Twitter.

In a tweet, LinkedIn indicated that it is “currently looking into reports of stolen passwords,” and will update users shortly.

UPDATE: At approximately 8:30am PT, LinkedIn said on Twitter that its team “continues to investigate, but at this time, we’re still unable to confirm that any security breach has occurred.” For the most recent updates on the situation, follow the @LinkedInNews account on Twitter.

UPDATE 2: In a blog post, LinkedIn Director Vicente Silveira says that the company “is still unable to confirm that any security breach has occurred,” but recommends that users change their passwords while they continue their investigation. He also provides good advice for how to create a secure password.

At the time of this writing, some 300,000 of the 6.5 million encrypted passwords have been cracked, meaning those users are now vulnerable to a variety of attacks. But that number is sure to rise as more hackers take a stab at the list.

LinkedIn currently has more than 150 million users, so it’s not guaranteed that your account is compromised, though it would be prudent to assume as much. Furthermore, breaches like this often result in a wave of scam emails, posing as messages from LinkedIn about the breach, so be wary of any emails that appear to have come from the social network. It’s best to simply log into the site directly by typing the address into your browser, and change your password from there. And if you use your LinkedIn password across multiple services, be sure to change those passwords too, as they could also be compromised. In fact, you should stop using the same password for multiple accounts altogether — that’s a big security no-no.

iOS app privacy concerns

Before news of the password leak landed on LinkedIn’s doorstep early this morning, The Next Web reported that the service’s iOS app for iPhone and iPad sends a variety of information, including meeting notes and other details, to LinkedIn’s servers in plain text format, an unsecure data transfer method. The information is only relayed if users have the calendar viewing feature enabled.

The potentially problematic practice of sending private data in plain text to LinkedIn’s servers was uncovered by Israeli security researchers Yair Amit and Adi Sharabani of Skycure Security.

LinkedIn has since responded to The Next Web report, confirming the practice, though the company says that it does not “store any calendar information on its servers,” nor does it “share or use your calendar data for purposes other than matching it with relevant LinkedIn profiles.” The company also said that it “will no longer send data from the meeting notes section of your calendar event,” given that this part of the practice seemed the most troublesome to users. Email addresses, names, meeting subject, and location will still be sent to LinkedIn.

Updated with additional information at 8:30am PT and 11:15am PT.

Apple

iPhone users are finding themselves randomly locked out of their Apple ID

According to posts on Reddit and Twitter, it looks like users on Reddit and Twitter having some issues with their Apple accounts. Specifically, it seems as though users are getting randomly locked out of their Apple IDs.
Computing

Protecting your PDF with a password isn't difficult. Just follow these steps

If you need to learn how to password protect a PDF, you have come to the right place. This guide will walk you through the process of protecting your documents step-by-step, whether you're running a MacOS or Windows machine.
Mobile

The 100 best Android apps turn your phone into a jack-of-all-trades

Choosing which apps to download is tricky, especially given how enormous and cluttered the Google Play Store has become. We rounded up 100 of the best Android apps and divided them neatly, with each suited for a different occasion.
Web

Data stolen from HealthCare.gov includes partial SSNs and immigration status

Around 75,000 users have had their user data stolen from government site healthcare.gov, including information on their immigration status, whether they were pregnant, and partial social security numbers.
Social Media

Dine and dash(board): Make a Yelp reservation from your car’s control panel

Already in the car, but can't decide where to eat? Yelp Reservations can now be added to some dashboard touchscreens. Yelp Reservations searches for restaurants within 25 miles of the vehicle's location.
Computing

Hackers sold 120 million private Facebook messages, report says

Up to 120 million private Facebook messages were being sold online by hackers this fall. The breach was first discovered in September and the messages were obtained through unnamed rogue browser extensions. 
Social Media

Facebook opens pop-up stores at Macy’s, but they’re not selling the Portal

Facebook has opened pop-up stores at multiple Macy's, though they're not selling Facebook's new Portal device. Instead, they're showcasing small businesses and brands that are already popular on Facebook and Instagram.
Web

Switch up your Reddit routine with these interesting, inspiring, and zany subs

So you've just joined the wonderful world of Reddit and want to explore it. With so many subreddits, however, navigating the "front page of the internet" can be daunting. You're in luck -- we've gathered 23 of the best subreddits to help…
Social Media

Facebook Messenger will soon let you delete sent messages

A feature coming to Facebook Messenger will let you delete a message for up to 10 minutes after you send it. The company promised the feature months ago and this week said it really is on its way ... "soon."
Social Media

Pinterest brings followed content front and center with full-width Pin format

Want to see Pinterest recommendations, or just Pins from followed users? Now Pinners can choose with a Pinterest Following feed update. The secondary feed eliminates recommendation and is (almost) chronological.
Smart Home

Facebook's Alexa-enabled video-calling devices begin shipping

Facebook's Portal devices are video smart speakers with Alexa voice assistants built in that allow you to make calls. The 15-inch Portal+ model features a pivoting camera that follows you around the room as you speak.
Social Media

Vine fans, your favorite video-looping app is coming back as Byte

Vine fans were left disappointed in 2017 when its owner, Twitter, pulled the plug on the video-looping app. But now one of its co-founders has promised that a new version of the app, called Byte, is coming soon.
News

Social media use increases depression and anxiety, experiment shows

A study has shown for the first time a causal link between social media use and lower rates of well-being. Students who limited their social media usage to 30 minutes a day showed significant decreases in anxiety and fear of missing out.
Social Media

Twitter boss hints that an edit button for tweets may finally be on its way

Twitter has been talking for years about launching an edit button for tweets, but it still hasn't landed. This week, company boss Jack Dorsey addressed the matter again, describing a quick-edit button as "achievable."