LinkedIn could be in some serious hot water is word is true that millions of encrypted passwords were leaked on a hacker site. According to a Dagens IT article published this morning, nearly 6.5 million encrypted LinkedIn passwords were dumped onto a Russian hacker forum.
The news comes just as LinkedIn has been getting some heated responses when the iOS update was found to transmit users’ meeting notes back to LinkedIn servers without their permission.
Dagen IT reports that nearly 300,000 of the 6.5 million passwords have been decrypted over the last two days-- a number which will grow the longer the information is out there. So if you have a LinkedIn account -- better be safe than sorry and change that password. (Reporter's note: I just did.)
The passwords were stored as unsalted SHA-1 hashes, and multiple reports on Twitter indicate that users have found their own hashes buried in the text dump online.
LinkedIn tweeted that they have heard similar rumors but have not publicly confirmed that this information is accurate.
As for the iOS update where calendar information is possibly unsecure, LinkedIn has made a response on its own blog. LinkedIn clarifies that the data it sends to its servers from your calendar is sent over SSL, which means it uses a secure connection that third parties can’t peek at while your data is in transit between your phone and LinkedIn’s servers. The company also says that it doesn’t store your calendar information or share it with others, and stresses that it only accesses your calendar data at all if you explicitly ask it to do so.
LinkedIn also added that the next version of its iOS app “will no longer send data from the meeting notes section of your calendar event,” and it will add a link in order to "provide more information about how your calendar data is being used.”
This tough day for LinkedIn is a good reminder to people out there -- use more caution online with passwords and what service to allow to access your data. Nothing is unbreachable.