4 hrs.
Helen A.S. Popkin
While LinkedIn confirmed Wednesday afternoon via its blog that user passwords had been compromised, it did not address whether the number of passwords stolen equaled the more 6.5 million reported earlier in the day. Regardless, both LinkedIn and security experts advise that LinkedIn users change their passwords as soon as possible.
LinkedIn director Vicente Silveria wrote:
We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.
These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.
Earlier in the day, Sophos security firm reported that the files posted on a Russian hacker site do contain LinkedIn passwords. "A file containing 6,458,020 SHA-1 unsalted password hashes has been posted on the internet, and hackers are working together to crack them," wrote Graham Cluley, Sophos senior technology consultant. "Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals,"
All LinkedIn members should take precautionary measures and change their passwords immediately, Cluley advised, and provided the following instructions:

  1. Log into LinkedIn.
  2. You should see your name in the top right hand corner of the webpage. Click on it, and you will open a drop-down menu. Choose "Settings".
  3. Choose the option to change your password.
  4. After entering your old password, you will have to enter your new (hopefully unique and hard-to-crack password) twice.
If you access LinkedIn via your Facebook account, take the extra precaution of changing your Facebook password as well. Further, if your LinkedIn password is the same one you use for any other accounts, change those as well -- hackers will often try out a password on several accounts, since so many people are in the (bad) habit of using just one.
News of the possible LinkedIn password leak comes less than 24 hours after mobile security researchers revealed that the LinkedIn mobile app is able to access subscriber meeting notes.

"The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes," writes Skycure Security researcher Adi Sharabani on the company's blog. "If you have decided to opt-in to this calendar feature in iPhone, LinkedIn will automatically receive your calendar entries and will continue doing so every-time you open your LinkedIn app."
In a blog post responding to the mobile app flap, LinkedIn mobile product head Joff Redfern emphasizes that user information used to sync the calendar app "is sent securely over SSL and we never share or store your calendar information" and that LinkedIn does not "under any circumstances access your calendar data unless you have explicitly opted in to sync your calendar."
In response to the Skycure Security findings, Redfern added that LinkedIn "will improve" the following:

  • These improvements are live on Android now and have been submitted to the Apple store and will be available shortly.
  • There will be a new “learn more” link to provide more information about how your calendar data is being used.
  • We will no longer send data from the meeting notes section of your calendar event.
Helen A.S. Popkin goes blah blah blah about Internet privacy, then asks you to join her Twitter and/or Facebook. Also, Google+. Because that's how she rolls.