LinkedIn confirms that user passwords were compromised
LinkedIn has confirmed that some of the more than six million password hashes which were stolen and published online correspond to accounts belonging to its members. The professional social networking web site has now disabled the passwords for affected accounts.
Affected users should receive an email from LinkedIn with instructions explaining how to reset their passwords. LinkedIn Director Vicente Silveira says that these initial password reset emails will not contain any links. This is most likely being done to protect users against possible phishing attacks in which attackers could, for example, send emails with instructions to reset passwords and links to web sites constructed to impersonate LinkedIn, in order to trick people into providing private information.
Once users follow the instructions in the LinkedIn email to request a password re-set, they should then receive an email from the company containing a password reset link. Anyone who uses the same password for other services should ensure that they change those passwords as well.
Silveira goes on to note that the newly reset passwords will be stored more securely using a salted hashed format; the company's password databases have "recently" switched to using this more secure format. The company has yet to confirm exactly how many accounts were compromised or how the databases were accessed, but says that it is continuing to investigate the situation.