It has been a tough 24 hours for LinkedIn.
First they were accused of storing users’ potentially confidential private and business information on the company servers without their knowledge, and then it has been discovered that a batch of what are allegedly the LinkedIn passwords of some 6.5 million users was published on a Russian forum.
The passwords in question are in hashed form and the individuals who made them available for download have asked for help in decrypting them.
Various security firms have jumped to the task, and all of them have confirmed that among the passwords there are many who contain the word “linkedin”, so the leak seems genuine.
Some Twitter users have searched the batch for their own hashed passwords and have found them (or that of their friends), confirming that assumption:
As pointed out by Eduard Kovacs, even though the batch contains only passwords, it is extremely likely that the individuals behind the leak have the usernames (email addresses) that go with them.
LinkedIn is still investigating and has yet to confirm the genuinness of the leak, but LinkedIn users would do well to change their passwords immediately just in case, and to do so on any other account where they might have used the same password or login credential combination.
Cameron Camp, Security Researcher at ESET, commented the leak for Help Net Security:
“The difference with this hack, as opposed to many others, is that people put their REAL information about themselves professionally on the site, not just what party they plan on attending, ala Facebook and others. And every time one of your LinkedIn contacts updates their profile, you get updates from LinkedIn showing what’s happening. This has the aggregate effect of garnering a form of peer review on what you post about yourself, knowing that it is exposed potentially to those business or career contacts that have a direct impact on your life. In other words, mess with somebody’s professional profile, and you’re messing with their life, and their contacts know about it.”
“The bigger question is what is the aggregate value of this level of business intelligence about an individual, let alone a whole business sector? This is the kind of information that advertisers and bad actors alike drool over. If, for example, you knew your competitors were losing staff at a rapid pace, it might affect a merger/acquisition negotiation, potentially swinging the value of the deal significantly. Also, since LinkedIn can be used as a sort of timeline of a users REAL history, there are deep stacks of historic business intelligence that can be garnered.”