It has been almost a week since over 6.4 million LinkedIn passwords were leaked to a hash-cracking website, and though it turned out that both eHarmony and Last.fm were also a part of the leak, the discussion has remained centered around LinkedIn. Vicente Silveira, director at LinkedIn, has been the company’s spokesperson throughout the week, posting situation updates to the official LinkedIn Blog, but the company hadn’t released an official statement until today. The statement provides a summary of LinkedIn’s actions following the leak, and emphasizes the company’s commitment to its member’s privacy and security.
LinkedIn states that the company has been working “around the clock” since learning of the leak one week ago. It first began to investigate whether the reported passwords were, in fact, from their members. After confirming the situation, LinkedIn disabled the accounts of members whose passwords had already been decoded and published. By the end of June 7, all member accounts associated with the leak, decoded or not, had been disabled. An email was sent to these members relating how to reactivate their accounts. The company emphasizes that the login emails for member accounts were not leaked along with the passwords.
Though it is not clear how the hashed passwords were obtained in the first place, LinkedIn does use the word “stolen” to refer to them. Ganesh Krishnan, Yahoo’s former chief information security officer (CISC), has for over one year served as LinkedIn’s security czar, a position that serves the same function as a CISC. His team has completed a planned security upgrade that increases password security by salting LinkedIn’s hashed passwords. The company stated that it is implementing further security upgrades, but for security purposes did not disclose what those are.
From the LinkedIn statement:
We are profoundly sorry for this incident. Member security is vitally important to us, and transparency is a priority as well. We will provide further updates as warranted by any new developments.
This appears to be LinkedIn’s definitive statement on the password leak. The company will, most likely, begin to move into a business-as-usual routine in the following days, while continuing to investigate the password leak. Already, the company’s blogs are functioning as normal: yesterday it posted tips for navigating office gossip to the official LinkedIn Blog.