The professional network LinkedIn has reportedly been hacked this morning, leaving 6,458,020 encrypted passwords floating around on the Internet for all to see. At this point usernames have not been disclosed, but it is believed that they were downloaded at the same time, and they they, too, could be published at any time.
The news was posted to a Russian forum earlier today, and initially many believed it was a hoax. However, users have been reporting on Twitter that they have discovered their LinkedIn passwords as hashes on the list.
Mikko Hypponen, Chief Research Officer at F-Secure, believes the list is indeed “a real collection.” He told The Verge that he is “guessing it’s some sort of exploit on their [LinkedIn's] web interface, but there’s no way to know. I am sure sure LinkedIn will fill us in sooner or later.”
It’s worth stressing that there’s really no need to panic at this point, because it’s not like anyone can access your LinkedIn account details. All of the passwords are hashed with SHA-1 encryption, which, although not foolproof, will take a lot of time to decrypt. And of course, even once that is done, there are no usernames to marry these passwords up to at this point.
Having said that, it is recommended that you change your password as soon as possible just in case the situation changes.
LinkedIn promises it is investigating the reports this morning.
Update: LinkedIn issued the following statement via Twitter on Wednesday morning: “Our team continues to investigate, but at this time, we’re still unable to confirm that any security breach has occurred. Stay tuned here.”
[via The Verge]