A Russian forum user is taking responsibility for the leak, claiming that he hacked LinkedIn and uploaded the encrypted passwords without usernames.
The passwords are encrypted with the SHA-1 cryptographic hash function used in SSL and TLS and are generally thought to be secure. However, the passwords are also stored as unsalted hashes, which makes them easier to decipher.
After tweeting this morning that the LinkedIn team was investigating reports of stolen passwords, LinkedIn later confirmed the security breach. The company hasn’t released many details, but did give users a helpful heads-up. If you try to log into LinkedIn and your password doesn’t work, then it was likely hacked and you should change your password immediately. Those users will also be receiving an email from LinkedIn with instructions to change their passwords.
An additional note? If you use the same password for other sites and services, you may want to take extra precautions and change those passwords, too.
The news of the hacking comes on the heels of accusations that LinkedIn’s mobile apps are collecting user data from the opt-in calendar feature, which may include potentially sensitive information like meeting notes, attendee names and meeting times.
LinkedIn responded to the accusations on its company blog, including a list of what the company does and does not do with the information collected via the calendar function. LinkedIn opted to make two changes to the feature, including no longer sending data from the meeting notes section of an event and the addition of a “learn more” link that will provide information about how your calendar data is used.
If you haven’t already stopped reading in order to change your LinkedIn password, do it now!
Lead image via Digital Trends