Password information for 6.5m members of business social network LinkedIn have been leaked, it’s been alleged, with Russian hackers supposedly crowd-sourcing help in breaking the encryption. Although the SHA1 unsalted password hashes revealed do not come with the matching usernames at present, Dagens IT and Per Thorsheim report, it’s possible the hackers are holding off on revealing those so that they can make private use of any unofficial access.
LinkedIn currently has in excess of 150m registered users, as of its own figures earlier this year, so the leaked batch of encrypted passwords don’t represent the entire user-base. However, there are signs that the leak is indeed genuine; according to Thorsheim, there have been several confirmations from users checking their password and SHA1 record.
It’s been a tough week for LinkedIn, with reports that the company’s new mobile calendar app transmitted full meeting notes and other data from the iOS agenda in plain text, an obvious security blip. The company swiftly moved to update its apps, minimizing the information sent to its servers, and introducing more SSL encryption. The updated Android app has already hit the Play Market, with the amended iOS version waiting for Apple’s own approval.
This leak could be even more damaging to LinkedIn’s reputation, and the company will need to move fast to reassure its users that their data is safe. We’re waiting on a comment from LinkedIn and will update when we know more.