11 Jun 2012

Most Hacked LinkedIn Passwords Were Hashed, Company Says

Business social network said most of the 6.5 million passwords leaked in the recent hack were not associated with their e-mail logins, meaning the hackers who stole the passwords were likely unable to use them.

“It's important to know that compromised passwords were not published with corresponding e-mail logins,” LinkedIn director Vicente Silveira said in a blog post. “At the time they were initially published, the vast majority of those passwords remained hashed, i.e., encoded, but unfortunately a subset of the passwords was decoded. Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords. The only information published was the passwords themselves.”

The company also said it has no reports of member accounts being breached as a result of the stolen passwords. Also, all member passwords that were believed to be at risk have already been disabled.

Ironically, the company has just updated its security system by switching from a database with hashed passwords to a system that both hashed and salted the passwords, providing an extra layer of protection.

“That transition was completed prior to news of the password theft breaking on Wednesday,” the LinkedIn representatives said. “We continue to execute on our security road map, and we'll be releasing additional enhancements to better protect our members.”

The company is working closely with the FBI to pursue the hackers, so it says it’s unable to give many details about the breach without jeopardizing the investigation. Internet radio site Last.fm and online dating service eHarmony were also dealing with password breaches last week.