LinkedIn Cops to Password Breach, Downplays Disaster

Yesterday, there were rumors aplenty that around 6.5 million LinkedIn passwords were stolen and posted on a Russian hacker forum, where the poster presumably was looking for some help decrypting them. LinkedIn, by way of a blog post by CEO Vicente Silveira, has confirmed that at least some of the leaked passwords belong to LinkedIn accounts.

Here’s what LinkedIn is doing to solve the issue:

So if you find that your LinkedIn account’s password doesn’t work today, there’s a good chance your password is being handled by some Russian hackers and that you should be expecting an email from LinkedIn.

Silveira’s post is artful in its evasiveness; he says that “some of the passwords that were compromised correspond to LinkedIn accounts”, but he doesn’t say how many. Does “some” mean 6.4 million or 20,000?

Later in the post, he takes a moment to plug LinkedIn’s new security measures for passwords: “It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.”

As of this morning, LinkedIn has issued no new updates. Considering the alleged scope and seriousness of this password breach, one would think that LinkedIn would at the least reassure users that the leak isn’t as widespread as previously reported (if that’s the case), and at most, let everyone know that the LinkedIn team is at red alert and has been working through the night and won’t rest until it mitigates this disaster.

It wouldn’t be a bad idea to go ahead and change your LinkedIn password just in case. If you need a refresher on how to do so and how to craft a strong password, Silveira has a post on that, too.

Update, June 8, 1:57am: Ah, there we go, that's a little more like it. It's still quite disconcerting that the breach happened at all, but at least LinkedIn is taking this as seriously as it should.