LinkedIn representatives have confirmed that at least some of the 6.5 million passwords that have been leaked on a Russian forum correspond to their users’ accounts. However, the company hasn’t been able to find any signs of a breach.
LinkedIn has taken immediate steps to remove the risks caused by the incident. First of all, the passwords of affected members have been made invalid.
As a result, impacted users will receive notifications containing instructions on how to reset their passwords. One observation that must be made is that these emails will not contain any links.
Once the steps are completed, a second message will be received containing the password reset link.
It’s important that LinkedIn customers take note of this to avoid potential phishing campaigns that might leverage the incident.
Users whose passwords show up in the data dump will receive an additional email in which they’ll be informed on why they’re being asked to make the changes.
“It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases,” Vicente Silveira, a director at LinkedIn, wrote
However, that’s not the end of it. Security firm Imperva claims that the actual number of passwords obtained by the cybercriminals may be much higher than 6.5 million.
Experts believe that the individual who posted the hashes has left out the “easy” ones that he could decrypt himself and made available only the more complex ones for which he needed help to crack.
Another clue which indicates that the number of passwords might exceed the 6.5 million limit is that most of them are listed only once.
“In other words, the list doesn’t reveal how many times a password was used by the consumers. This means that a single entry in this list can be used by more than one person,” Imperva’s Rob Rachwald explains
Once again, we urge all LinkedIn customers to change the passwords that they've used to guard their social media account.