LinkedIn has said it is looking into a file that reportedly contains the mildly obscured passwords of around 6.5 million of its users.
A list containing the SHA1 hashed but unsalted passwords, purportedly of users of the business social network, has been posted on a Russian Dropbox-alike website. Some LinkedIn users have confirmed on Twitter that their password was in the list, with many saying it was an old password:
LinkedIn passwords leak is real. My hashed password is there (good luck getting a reverse hash ;) )— Ivan Zlatev (@ivanzlatev) June 6, 2012
RT@nunoloureiro: My passwd hash is not there but my friend's old password is. He changed it 27th May, so LinkedIn leak is prior to that date— RandomStorm (@RandomStorm) June 6, 2012
LinkedIn has no information on its website, but it has tweeted that it's assessing the situation:
Our team is currently looking into reports of stolen passwords. Stay tuned for more.— LinkedIn (@LinkedIn) June 6, 2012
The network hadn't returned a request for comment at the time of publication.
There aren't any email addresses or names on the leaked list, but security experts have been at pains to stress that doesn't mean the hackers don't have them.
SHA-1 hashing is not the securest form of encryption; sensitive information should really be salted, a much stronger form of security.
The leak is coming at a bad time for LinkedIn, as it's already had to defend itself against privacy concerns over its new mobile calendar feature.
The feature is supposed to sync users' mobile calendars with LinkedIn to provide details on the people they are meeting. However, in order to make this "smarter", LinkedIn had been pulling in email addresses for the people, the subject of the meeting, the location and the meeting's notes – a lot of information.
Syncing with LinkedIn is an opt-in feature, so users don't have to do it and the network has said it doesn't store any calendar information on its servers. ®