LinkedIn said today that it has contacted police about the compromise of its users' passwords that hackers were actively cracking earlier this week.
"Yesterday we learned that approximately 6.5 million hashed LinkedIn passwords were posted on a hacker site. Most of the passwords on the list appear to remain hashed and hard to decode, but unfortunately a small subset of the hashed passwords was decoded and published," Vicente Silveira, a director at the professional social-networking site, wrote in a blog post. "We are also actively working with law enforcement, which is investigating this matter."
The damage appears to be somewhat limited in scope of data, the post says, but it's still unclear how many of the site's more than 160 million users may have been affected. "To the best of our knowledge, no email log-ins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member's account as a result of this event." When members log into LinkedIn they do so with an e-mail address and password, LinkedIn spokeswoman Erin O'Harra said when asked to confirm that no user names were exposed.
After realizing the problem, LinkedIn disabled the passwords that it believed were "at greatest risk" and sent those users e-mails informing them that they need to change their passwords, the post says. "Going forward, as a precautionary measure, we are disabling the passwords of any other members that we believe could potentially be affected. Those members are also being contacted by LinkedIn with instructions on how to reset their passwords," Silveira writes.
In addition, the company has beefed up the protection for the passwords in its current product database by using a technique called "salting" to the hashed, or obscured, passwords. Salting means more work for password crackers.
LinkedIn is one of the companies scrambling to warn people about the security problem after user passwords were found on a list posted to a hacker forum. Yesterday, LinkedIn and eHarmony confirmed password compromises, and today Last.fm did. Although approximately 8 million passwords were on the leaked lists, it's unclear how many users are affected and whether other Web sites will be issuing warnings too. Users who might be affected should immediately change their passwords on those sites and any others they might have used those passwords on.
Updated 3:30 p.m. PT with background on password leaks.