[UPDATE 2] LinkedIn has confirmed the security breach and invalidated the affected passwords. Users can reset their password to regain access to their accounts. Read the full story.[UPDATE] LinkedIn has tweeted an update on the situation from their end. They state that they have not been able to confirm a security breach. This could mean that LinkedIn simply hasn’t found any evidence yet, or it could mean that the hackers on the forum were mistaken that the hashes were LinkedIn passwords. More updates will follow.
Our team continues to investigate, but at this time, we’re still unable to confirm that any security breach has occurred. Stay tuned here.
The file was first leaked yesterday afternoon, and the first report of passwords being cracked came two hours later. The latest update on the forum, which is currently offline, brings the total number passwords that have been compromised to over 200,000. Weaker passwords are likely the ones that have already been compromised.
LinkedIn has acknowledged the password theft in a tweet from its official Twitter account:
Our team is currently looking into reports of stolen passwords. Stay tuned for more.
Though 6 million is only a fraction of LinkedIn’s more than 150 million members, it is still disconcerting that the leak has occurred. To LinkedIn’s credit, though, the passwords were hashed, meaning the company was taking reasonable precautions with regards to password security. Server security, on the other hand, is another matter. There is still the question of how the hash file was obtained in the first place.
We will continue to provide more information on the situation as it develops. There is no way to tell whether your password has been compromised short of searching through the passwords already leaked, but it certainly wouldn’t hurt users to change their password for LinkedIn, and for any other services using the same password.