Skip to main content

6.5 Million Encrypted LinkedIn Passwords Leaked Online

On Tuesday Skycure Security reported that LinkedIn secretly sends detailed user iOS calendar entries to its servers. Collected data includes lists of meetings, subject, location and time of meetings, and personal meeting notes. The latter aspect is considered a little scary, as notes tend to contain highly sensitive information such as conference call details and passcodes.

"If you have decided to opt-in to this calendar feature in iPhone, LinkedIn will automatically receive your calendar entries and will continue doing so every-time you open your LinkedIn app," the company said in a blog. "Every time you launch LinkedIn’s app for iPhone, it automatically sends out all of your calendar entries for a five-days time frame. The meetings information is being collected from all the calendars on the iOS machine, thus possibly exposing information from both personal and corporate calendar accounts."

Later LinkedIn responded to the report, listing what the company does, doesn't and will improve on regarding its iOS app and the calendar service. LinkedIn stated that it asks the user for permission before accessing the calendar, and will continue to be an opt-in feature. It also admitted that calendar data is sent to LinkedIn servers via a secure SSL connection when the iOS app is launched "to be matched with relevant LinkedIn profiles of meeting attendees."

"In order to provide our calendar service to those who choose to use it, we need to send information about your calendar events to our servers so we can match people with LinkedIn profiles," the company said on Wednesday. "That information is sent securely over SSL and we never share or store your calendar information."

"In an effort to make that algorithm for matching people with profiles increasingly smarter we pull the complete calendar event, including email addresses of people you are meeting with, meeting subject, location and meeting notes," LinkedIn added.

Adding to LinkedIn's stressful day, there are additional reports claiming that a Russian forum user has hacked LinkedIn and uploaded 6,458,020 encrypted passwords (without usernames) as proof. The passwords are encrypted with the SHA-1 cryptographic hash function that's used in SSL and TLS.

There's a possibility that the leak is just a hoax, but several messages spotted on Twitter indicate it's a real deal -- even Mikko Hypponen, Chief Researcher at F-Secure, believes it's a "real collection." There's also speculation that the hack was accomplished using some kind of exploit in LinkedIn's web interface.

"Our team is currently looking into reports of stolen passwords. Stay tuned for more," LinkedIn said on Wednesday.

Additional details regarding the hack are expected to arrive shortly.

  • velocityg4
    Yet another reason to steer clear of cloud anything. I'm just waiting for some leak where all the personal documents, pictures, financials, &c stored on cloud servers (such as Google Docs, iCloud or Dropbox) are compromised. Perhaps by some hacker getting a back door, perusing and downloading sensitive info from millions of users for weeks on end.

    Given that they can reset the password the info must be inherently insecure. If everything was encrypted by password then a reset would be impossible.
    Reply
  • hoof_hearted
    You can always google the SHA-1 hash of your favorite password and that will give you some indication if it has been leaked.
    Reply
  • jhansonxi
    I rarely use LinkedIn anymore. Too much spam.
    Reply
  • captaincharisma
    never heard of it
    Reply
  • punahou1
    They need to credit all users with several months of free service. This is unacceptable.
    Reply
  • curiosul
    iOS only?
    That's weird ...
    Reply
  • eddieroolz
    LinkedIn, and all other companies need to work a lot more on security.
    Reply
  • rantoc
    Yeah, the cloud idea is awesome. Collect EVERYONES data at ONE site so the hackers won't have to hack several systems that's only available when turned on. Rather have it collected just waiting for pickup at a data-center thats available 24/7. Frankly, no system is completely secure and until that day any sane person would not store any important data in the cloud!
    Reply
  • carstorm
    I use that site. The bad part is, as the cloud becomes more insecure, we depend on it more.
    Reply
  • hoof_hearted
    You'd be suprised at how many of your password's SHA1 can be found in google.

    password (5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8)7340 results
    1234 (7110eda4d09e062aa5e4a390b0a572ac0d2c0220) 1290 results
    Hello World (0a4d55a8d778e5022fab701977c5d840bbc486d0) 226 results

    I used http://www.digitalsecurityexperts.com
    Reply