LinkedIn confirmed on Wednesday that passwords were indeed stolen by a hacker. The confirmation came after a Russian forum user reportedly hacked into LinkedIn and uploaded 6,458,020 passwords (without usernames) as proof. The passwords were encrypted with the SHA-1 cryptographic hash function that's used in SSL and TLS.
"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts," the company said Wednesday night. "We are continuing to investigate this situation."
LinkedIn users will know that they were on the hacker's list when trying to log in, as their password will no longer be valid. These members will also receive an email from LinkedIn with instructions on how to reset their passwords -- there will not be any links in this email. Affected users will also receive an email from the Customer Support team providing "more context on this situation and why they are being asked to change their passwords."
"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," the company said.
BusinessWeek reports that the Irish Data Protection Commissioner’s Office may start an investigation into LinkedIn's data breach. Gary Davis, Ireland’s deputy data-protection commissioner, said that the incident falls within the area that can be investigated under the agency’s code of practice on data breaches. Irish privacy regulators could even stick LinkedIn with a hefty fine over the password fiasco.
"We are in ongoing contact with LinkedIn in relation to the matter," Davis said in an e-mail. "I am not in a position to indicate how we will be progressing."
Meanwhile, the same hacker that stole the LinkedIn passwords -- aka "dwdm" -- also hacked into online dating site eHarmony, running off with 1.5 million passwords and posting them online at insidepro.com in a second list. As with the LinkedIn leak, usernames were not attached to the passwords, but it's assumed that the information is available to the hackers who obtained the list, and possibly available to others on underground forums.
As with LinkedIn, eHarmony wouldn't verify the actual number of passwords that was actually stolen, or how the hacker gained access to the information. "After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected. We are continuing to investigate," the company said in a blog.
eHarmony has followed LinkedIn's lead and reset the passwords of affected accounts. It also provided a list of steps users need to take to secure their account such as creating a stronger password using numbers, letters, numbers and symbols; changing the password every few months; and not using the same password for every website.
On Thursday Security researcher Adi Sharabani said that LinkedIn's security breach should be a wake-up call for a social website that has quietly grown popular under the radar over the last few years. The company should look carefully at how its data is protected, what data it collects and how that all matches up with its terms of service.
"Sometimes a security issue is what’s needed for a company to take extremely seriously safety, security and privacy," Nigam told the Washington Post.