LinkedIn Accounts Untouched With Stolen Passwords

LinkedIn provided a status update on its massive security breach of 6.5 million passwords, noting in a blog post over the weekend that none of its users accounts have been breached with the stolen passwords. At least, to the best of its knowledge.

Last week, the social networking giant learned that hackers had stolen millions of its users’ encrypted passwords, posted them to a Website frequented by hackers and asked others to try to break the encryption. LinkedIn noted some of its passwords were decoded.

In a blog post over the weekend, LinkedIn director Vicente Silveira provided an update, noting no accounts were breached with the stolen passwords:

First, it’s important to know that compromised passwords were not published with corresponding email logins. At the time they were initially published, the vast majority of those passwords remained hashed, i.e. encoded, but unfortunately a subset of the passwords was decoded. Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords. The only information published was the passwords themselves.

He also goes on to explain why members weren’t immediately notified that their LinkedIn passwords had been disabled, following the breach:

As soon as we learned of the theft, we launched an investigation to confirm that the passwords were LinkedIn member passwords. Once confirmed, we immediately began to address the risk to our members, prioritized as follows:

Based on our investigation, those members whom we believed were at risk, and whose decoded passwords already had been published, had their passwords quickly disabled and were sent an email by the Customer Service team.

By the end of Thursday, all passwords on the published list that we believed created risk for our members, based on our investigation, had been disabled. This is true, regardless of whether or not the passwords were decoded. After we disabled the passwords, we contacted members with instructions on how to reset their passwords.

One question the blog is why not send an immediate email to all 6.5 million users whose passwords were published that they should change their passwords A.S.A. P., rather than relying on users to hopefully read about the security breach and take such action.

An Update on Taking Steps to Protect Our Members [LinkedIn]