Social networking website LinkedIn is investigating claims that over six million users’ passwords have been leaked onto the Internet. The BBC News reports that hackers posted a file containing encrypted passwords onto a Russian web forum. According to SecurityWeek, the website Dangens IT reported that the lists were uploaded in an effort to crowd-source their cracking, i.e., the hacking community was invited to participate in the decryption. Presently, some 300,000 passwords have been cracked. While it is unclear how many of those passwords are associated with LinkedIn accounts, many cracked codes that have been publicly posted contain the phrase "LinkedIn" in some fashion. LinkedIn has confirmed on its blog that "some" of the compromised passwords correspond to LinkedIn accounts. According to its blog, those passwords are no longer valid and affected users would be receiving further email instructions.
The news comes at the heels of yesterday’s discovery by security researchers of a privacy flaw in LinkedIn’s mobile app. According to Skycure Security, the mobile app was automatically sending unencrypted calendar entries to LinkedIn servers without users’ knowledge or consent. The information included meeting notes, which often contain personal information such as dialing numbers and passcodes for conference calls. Skycure reported that the names and email addresses of the meeting organizer and attendees were being collected even for those who did not have a LinkedIn account. This practice arguably violates Apple’s privacy guidelines that prohibit apps from transmitting personal data without users’ informed consent. In response, LinkedIn issued a statement that it would no longer send data from the meeting notes section of users’ calendar, and that it would include a new "learn more" link to provide greater transparency in LinkedIn’s data collection and use practices.
As a precautionary measure, security experts advise that all LinkedIn users immediately change their passwords.