Earlier this week, LinkedIn admitted that over 6 million passwords tied into accounts from its user base had somehow been lifted and posted on a Russian forum page. While it appears that most of the passwords that were posted were "hashed", some of them have been decoded. There is evidence that some LinkedIn email accounts were later used by online criminals.
In a rare Saturday blog post, LinkedIn gave an update on their investigation into this security breach. The post states, "We want to be as transparent as possible while at the same time preserving the security of our members without jeopardizing the ongoing investigation." The blog post did not offer any new information on who might have been responsible and how they might have gained access to the password list.
LinkedIn insists, "... we have no reports of member accounts being breached as a result of the stolen passwords." It also says that all passwords involved in this breach, even those that have not been decoded, have now been disabled. If a LinkedIn subscriber has not had its password disabled, LinkedIn believes it is safe but added that it is always a good idea for anyone change their passwords every few months.
LinkedIn also said it is working to improve how its passwords are encoded with its security team, saying:
Under this team’s leadership, one of our major initiatives was the transition from a password database system that hashed passwords, i.e. provided one layer of encoding, to a system that both hashed and salted the passwords, i.e. provided an extra layer of protection that is a widely recognized best practice within the industry. That transition was completed prior to news of the password theft breaking on Wednesday. We continue to execute on our security roadmap, and we’ll be releasing additional enhancements to better protect our members.
Source: LinkedIn blog