LinkedIn Defends Its Password Leak ResponseBy: Sean Patterson - June 11, 2012
Over 6.4 million LinkedIn member passwords were leaked to a hash-cracking forum last week, causing LinkedIn members to worry about the site’s security. As the week went on, the scope of the leak grew to encompass both eHarmony and Last.fm. Though LinkedIn Director Vicente Silveira has already outlined LinkedIn’s response to the leak, he took to the LinkedIn Blog again over the weekend to further clarify and explain how the company reacted to the incident. LinkedIn has understandably been receiving some very pointed questions from members, and Silveira uses his latest post to answer them. From the blog post:
First, it’s important to know that compromised passwords were not published with corresponding email logins. At the time they were initially published, the vast majority of those passwords remained hashed, i.e. encoded, but unfortunately a subset of the passwords was decoded. Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords. The only information published was the passwords themselves.
Silveira announced that LinkedIn is now working closely with the FBI to catch those responsible for the password therft. He reiterated a point he made in a blog post on Friday, saying that the company has received no reports of any accounts being breached.
When LinkedIn learned of the leaked passwords, it first sought to confirm that the passwords were actually from its members. Once it had, it immediately began to disable the accounts of those members whose passwords had already been cracked. After that, all member accounts that were part of the leak were disabled. Only after all of that was done were the emails sent out to users explaining how to reset their passwords.
Silveira stated that an initiative has been underway at LinkedIn to implement greater password security by salting its database of hashed passwords. Evidently, this process had already completed by the time news broke of the leaked passwords. Silveira announced that LinkedIn will be releasing “additional enhancements” in the future.