MOUNTAIN VIEW, Calif. — Social network LinkedIn has suffered a breach resulting in the loss of over 6.5 million encrypted passwords that could allow criminals to break into subscribers’ accounts, according to two security firms.
The hacked passwords were first posted to a Russian hackers forum, Norway-based tech blog Dagens IT reported earlier Wednesday.
Two security firms, Sophos and Rapid7 said they were able to confirm the breach by searching for the known passwords of colleagues within the massive file they say has been spreading through other hacker forums.
The hacked passwords would represent about four percent of LinkedIn’s 150 million users.
LinkedIn didn’t return repeated calls for comment. In an email, the company referred requests for information to its Twitter account, in which it said it is investigating these reports but is “unable to confirm any security breach has occurred.”
Other hackers have already managed to de-encrypt and post passwords online, said Graham Cluley, a security consultant at Sophos. Cluley said there is so far no evidence the passwords have been linked to user email addresses.
Marcus Carey, a researcher at security research firm Rapid7, says users should protect themselves by changing their LinkedIn and email passwords, but doing that once might not be enough.
“The vulnerability hasn’t yet been worked out, so the attackers may still be in the system and you may need to change your password again, once the flaw is worked out,” Carey said. “This may be a two time thing.”
To read more, go to The Wall Street Journal