* Company confirms breach
* LinkedIn sent affected members emails to change passwords
By Jim Finkle and Jennifer Saba
BOSTON/NEW YORK, June 6 LinkedIn said
on Wednesday that it had a data breach that compromised the
passwords of some of the social network's members.
LinkedIn engineer Vicente Silveira confirmed on the
website's blog that some passwords were "compromised."
"We are continuing to investigate this situation," he said.
LinkedIn said it sent emails to members whose passwords were
affected, explaining how to reset them since they were no longer
valid on the site.
LinkedIn, which made its stock debut last year, is a social
media company that caters to companies seeking employees and
people scouting for jobs.
It has more than 161 million members worldwide. One of the
Mountain View, California-based company's main initiatives is to
grow internationally - 61 percent of its membership is located
outside the United States.
Marcus Carey, security researcher at Boston-based Rapid7,
said he believed the attackers had been inside LinkedIn's
network for at least several days, based on an analysis of the
type of information stolen and quantity of data posted on
"While LinkedIn is investigating the breach, the attackers
may still have access to the system," Carey warned. "If the
attackers are still entrenched in the network, then users who
have already changed their passwords may have to do so a second
Officials with LinkedIn declined to comment on whether an
attack might still be in progress.
The breach is the latest in a string of high-profile hacks
affecting companies and governments around the world, which have
put the personal information of millions at risk.
News of the breach surfaced on Wednesday when computer
security experts said they discovered files with some 6.4
million encrypted passwords on underground websites where
criminal hackers frequently exchange stolen information.
Graham Cluley, a senior technology consultant with British
computer security software maker Sophos said that it is not yet
clear if all of those passwords belong to LinkedIn members.
The files included only passwords and not corresponding
email addresses, which means that people who download the files
and decrypt, or unscramble, the passwords will not easily be
able to access any accounts with compromised passwords.
Yet analysts said it is likely that the hackers who stole
the passwords also have the corresponding email addresses and
would be able to access the accounts.
NEEDS MORE SALT?
At least two security experts who examined the files
containing the LinkedIn passwords said the company had failed to
use best practices for protecting the data.
The experts said that LinkedIn used a vanilla or basic
technique for encrypting, or scrambling, the passwords which
allowed hackers to quickly unscramble all passwords after they
figured out the formula by which any single password had been
The social network could have made it extremely tedious for
the passwords to be unscrambled by using a technique known as
"salting", which means adding a secret code to each password
before it is encrypted.
"What they did is considered to be poor practice," said Mary
Landesman, security researcher with Cloudmark, a company that
helps secure messaging systems.
LinkedIn officials declined to comment on the criticism,
saying it was discussing the breach only on its official blog.
Silveira said in the blog that the company just recently put
in place new security measures to protect customer passwords,
including the use of salting techniques.
Last year, a security researcher warned that LinkedIn had
flaws in the way it managed communications with browsers to
authorize logins, making accounts more vulnerable to attack.
The company responded by tightening its procedures for logins.
LinkedIn was co-founded by former PayPal executive Reid
Hoffman in 2002 and makes money selling marketing services and
subscriptions to companies and job seekers.
LinkedIn shares closed 8 cents higher at $93.08 on