User passwords were stolen in the attack but as corresponding email addresses are required to login, users’ accounts could be safe.
LinkedIn are working with law enforcement to investigate the leak according to LinkedIn director Vicente Silveira on the company’s blog today.
“Going forward, as a precautionary measure, we are disabling the passwords of any other members that we believe could potentially be affected. Those members are also being contacted by LinkedIn with instructions on how to reset their passwords,” Silveira said.
“We are also actively working with law enforcement, which is investigating this matter.”
On Wednesday, reports surfaced that approximately 6.5 million LinkedIn passwords had been compromised and posted online. After initially not admitting to any security breach, the company announced later in the day that some of the passwords are indeed linked to user accounts. “We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts,” LinkedIn Director Dave Silveira wrote in a blog post earlier this week. “We are continuing to investigate this situation.”
LinkedIn has automatically invalidated the passwords of impacted users and the company says emails will be sent to users whose passwords are compromised notifying them of the situation. The company warns users to not update passwords via links sent in any emails.
In addition, LinkedIn said on Wednesday it had “just recently” put into place additional security features for its passwords, including hashing and salting all of the company’s password databases. Salting is a process that adds user-specific information to encrypted passwords, making them more difficult to unencrypt.
“We sincerely apologise for the inconvenience this has caused our members,” Silveira wrote in Wednesday’s blog post and added that the company is continuing to investigate the situation. The company has posted detailed instructions on how to change your LinkedIn password and some suggested best practices for password management.
Even with user email addresses unpublished, users should change their password as soon as possible.