Skip to main content

LeakedIn: Hacker Posts 6.4 Million LinkedIn Passwords

The encrypted LinkedIn passwords of more than 6.4 million users have hit the Web after a reported hack, an incident that comes on the heels of another slip-up involving the company's insecure mobile app.

The file containing 6,458,020 LinkedIn passwords appeared on a Russian Web forum; researchers from the security firm Sophos confirmed that the file does contain user passwords of Sophos staffers. (Scroll to the end of this story to learn how to check for your own password.)

All of the passwords are encrypted, but the encryption algorithm used is relatively weak and it appears thousands of passwords have already been cracked.

No associated email addresses appear in the file, but as Sophos' Graham Cluley says, "It is reasonable to assume that such information may be in the hands of the criminals."

[What Identity Thieves Want From a Data Breach]

LinkedIn, which has more than 150 million users, has not issued a formal statement. In a Twitter post this morning (June 6) from its @LinkedIn feed, the company wrote, "Our team is currently looking into reports of stolen passwords. Stay tuned for more."

In a tweet sent two hours later, LinkedIn wrote, "Our team continues to investigate, but at this time, we're still unable to confirm that any security breach has occured."

Marcus Carey, security researcher at the firm Rapid7, recommends everyone immediately change their LinkedIn password.

"By all indications it doesn't appear LinkedIn has contained the compromised yet, so everyone should be aware that they may have to change their passwords multiple times," Carey told SecurityNewsDaily. "You should still go ahead and change it straight away, but you may have to change it for a second time if it turns out the attackers are still entrenched in LinkedIn's systems."

It's also important to be aware of suspicious emails in the next few days that claim to be from LinkedIn. Phishing scams will invariably pop up in an attempt to trick you into entering a new password on a site that looks like LinkedIn, but is actually a clever spoof. When you change your LinkedIn login details, do it directly on LinkedIn's site and not from a link in an email.

Bad day for LinkedIn

Unfortunately for LinkedIn, the password leak is not the least of its problems.

LinkedIn was forced today to update its mobile app to fix a flaw that transmitted the details of users' calendar entries — including meeting locations, participants, meeting notes and passwords — back to LinkedIn's servers without their knowledge.

The update came after researchers from Israel-based Skycure Security uncovered the flaw, prompting LinkedIn to take quick action to fix the problem.

In a blog post today, LinkedIn's Joff Redfern addressed the issue, explaining that the calendar-sharing service is, and will continue to be, an opt-in feature users can turn off at any time.

The information is sent over a secure SSL connection, Redfern said, and none of it is stored on LinkedIn's servers or shared "for purposes other than matching it with relevant LinkedIn profiles."

Redfern added that, in light of Skycure Security's discovery, LinkedIn will "no longer send data from the meeting notes section of your calendar event."

The changes have been made on Android, and will be available shortly for Apple devices.

About the calendar feature in question, Redfern stressed, "It's a great feature. We hope you try it out. If at any time you decide it's not for you, then you can always go to the mobile apps setting page to turn [it] off."

Checking your LinkedIn password

If you'd like to check whether your password is on the list of stolen passwords, you can download the huge 118-megabyte file from the Russian Yandex site here. You'll probably need a tough text editor to open the whole thing; alternately, try Microsoft Word.

Then you'll need to search for your LinkedIn password's SHA-1 hash. Plug your password into the online SHA-1 hash generator at Copy the output and search for it in the file.

If you don't get a result right away, clip the first five digits from the hash and search again. Whoever uploaded the LinkedIn password list replaced the first five digits of every hash that's already been hacked with five zeroes.

For example, the hash for "password" is "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8." On the list, it appears as "000001e4c9b93f3f0682250b6cf8331b7ee68fd8," indicating that it's already been cracked.

If you do both and find nothing, your LinkedIn password isn't on the list. But you should change it anyway.

Article provided by SecurityNewsDaily, a sister site to