Original URL: http://www.theregister.co.uk/2012/06/06/linkedin_password_leak/

Hackers expose 6.5 MILLION 'LinkedIn passwords'

LinkedOut: Hashed details posted on Russian Dropbox-alike site

By Brid-Aine Parnell

Posted in Security, 6th June 2012 16:26 GMT

LinkedIn has said it is looking into a file that reportedly contains the mildly obscured passwords of around 6.5 million of its users.

A list containing the SHA1 hashed but unsalted passwords, purportedly of users of the business social network, has been posted on a Russian Dropbox-alike website. Some LinkedIn users have confirmed on Twitter that their password was in the list, with many saying it was an old password:

LinkedIn has no information on its website, but it has tweeted that it's assessing the situation:

The network hadn't returned a request for comment at the time of publication.

There aren't any email addresses or names on the leaked list, but security experts have been at pains to stress that doesn't mean the hackers don't have them.

SHA-1 hashing is not the securest form of encryption; sensitive information should really be salted, a much stronger form of security.

The leak is coming at a bad time for LinkedIn, as it's already had to defend itself against privacy concerns over its new mobile calendar feature.

The feature is supposed to sync users' mobile calendars with LinkedIn to provide details on the people they are meeting. However, in order to make this "smarter", LinkedIn had been pulling in email addresses for the people, the subject of the meeting, the location and the meeting's notes – a lot of information.

Syncing with LinkedIn is an opt-in feature, so users don't have to do it and the network has said it doesn't store any calendar information on its servers. ®