Earlier this morning, The Verge reported that a user in a Russian forum had obtained nearly 6.5 million passwords from the business networking site LinkedIn. The passwords, which didn’t include attached usernames and were encrypted according to the reports, don’t seem to be in immediate danger of being used to compromise accounts. Security experts are nonetheless advising LinkedIn users to change their passwords as soon as possible.
Beyond this individual breach, LinkedIn has a bigger problem to face: how did this information get out into the open and how do they respond in order to calm possible fears of uploading any sensitive information to the company’s site?
While there are some personal details on LinkedIn, most of what users store on there is intended to be public information. Still, having access to contacts that a hacker could use for phishing attempts as well as a password that a user might frequently use is bad enough. And for customers who pay to use the site (either with a premium account or through the purchase of job posting and advertising), somebody being able to access user accounts and passwords might be able to access that information as well.
As of this writing, LinkedIn’s official PR account has yet to confirm the breach, saying:
Our team continues to investigate, but at this time, we’re still unable to confirm that any security breach has occurred. Stay tuned here.
— LinkedIn News (@LinkedInNews) June 6, 2012
LinkedIn is one of the top sites that recruiters use to find talent. As of March 31st of this year, the site had over 161 million accounts. Using that figure, the reported compromise of over 6 million passwords would constitute less than 5% of the LinkedIn user population.