The Verge broke news this morning that a Russian hacker has downloaded login credentials for almost 6.5 million LinkedIn accounts. To prove his claim, the hacker posted a list of the 6,458,020 hashed passwords on a Russian forum site. While there is currently no confirmation that usernames have also been stolen, security experts are saying it’s very likely. At this point, it’s been reported that about 200,000 of the hashed passwords have been cracked.
Update: LinkedIn has confirmed the theft of user data and has automatically changed the passwords associated with the leaked accounts. The LinkedIn blog provides further details.
Furthermore, users have reported via Twitter that they’ve found their own password on the list, making it all the more likely that the list is real.
We spoke with Mikko Hypponen, Chief Research Officer at F-Secure, who thinks this is “a real collection.” He told us he is “guessing it’s some sort of exploit on their web interface, but there’s no way to know. I am sure sure LinkedIn will fill us in sooner or later.” [The Verge]
Since we simply cannot confirm the legitimacy of the list, we’re recommending that users change their LinkedIn passwords immediately.
As we mentioned above, the passwords on the lists were stored as unsalted SHA-1 hashes, not actual passwords. SHA-1 is an algorithm that changes passwords into combinations of letters and numbers. “SumRando” fed through an SHA-1 algorithm becomes “ebc26281d960110b8111d3a78889b05fc50e0a8b”, unfortunately, without salting (basically another round of encoding) it’s quite easy to decode the hashes to the original data.
According to LinkedIn’s Twitter feed, the company is not yet confirming the breach.