* Company confirms breach
* LinkedIn sent affected members emails to change passwords
* Expert says could take days to identify source
By Jim Finkle and Jennifer Saba
BOSTON/NEW YORK, June 6 LinkedIn
confessed it had a data breach that compromised the passwords of
some of its members, the social networking site said on
LinkedIn engineer Vicente Silveira confirmed on the site's
blog that some passwords were "comprised." ()
"We are continuing to investigate this situation," he said.
LinkedIn said it sent emails to members whose passwords were
affected explaining how to reset them, since they are no longer
valid on the site.
It could take several days, or up to a week, for LinkedIn to
identify the source, said Mary Landesman, security researcher
with Cloudmark, a company that helps secure messaging systems.
LinkedIn, which made its stock debut last year, is a social
media company that caters to companies seeking employees and
people scouting for jobs.
It has more than 161 million members worldwide. One of the
Mountain View, California-based company's main initiatives is to
grow internationally - 61 percent of its membership is located
outside the United States.
Marcus Carey, security researcher at Boston-based Rapid7,
said he believed the attackers had been inside LinkedIn's
network for at least several days, based on an analysis of the
type of information stolen and quantity of data posted on the
"While LinkedIn is investigating the breach, the attackers
may still have access to the system," Carey warned. "If the
attackers are still entrenched in the network, then users who
have already changed their passwords may have to do so a second
Officials with LinkedIn declined to comment on whether an
attack might still be in progress.
The breach is the latest in a string of high-profile hacks
affecting companies and governments around the world, which have
put the personal information of millions at risk.
With LinkedIn, computer security experts discovered files
with some 6.4 million scrambled passwords on Tuesday, which they
originally suspected belong to LinkedIn members because some of
the passwords included the phrase "LinkedIn," said Graham
Cluley, a senior technology consultant with British computer
security software maker Sophos.
When Sophos dug further, it found other passwords on the
list belonged to Sophos employees, who only used them to secure
their LinkedIn accounts, he said. But it is possible that all or
just some of those 6.4 million passwords belong to LinkedIn
members, Cluley added.
The data was found on underground websites where criminal
hackers frequently exchange stolen information, including
The files included only passwords and not corresponding
email addresses, which means that people who download the files
and unscramble the passwords will not easily be able to access
any accounts with compromised passwords.
Yet analysts said it is likely that the hackers who stole
the passwords also have the corresponding email addresses and
would be able to access the accounts.
NEEDS MORE SALT?
At least two security experts who examined the files
believed to contain the stolen LinkedIn passwords said the
company had failed to use best practices for protecting the
The experts said that LinkedIn used a vanilla or basic
technique for encrypting, or scrambling, the passwords which
allows hackers to quickly unscramble all passwords after they
figure out the formula by which any single password has been
The social network could have made it extremely tedious for
the passwords to be unscrambled by using a technique known as
"salting," which means adding a secret salt to each password
before scrambling it.
"What they did is considered to be poor practice," Landesman
Silveira said in the post that affected members who update
their passwords and those members whose passwords were not
comprised "benefit from the enhanced security we just recently
put in place, which includes hashing and salting of our current
Last year, a security researcher warned that LinkedIn had
flaws that make users' accounts vulnerable to attack by hackers
because of the way it manages cookies.
Cookies are small pieces of data sent from a website and
stored in a computer user's Web browser. They are commonly used
as a way to compile long-term records of individuals' browsing
histories, and have raised concerns about privacy.
LinkedIn was co-founded by former PayPal executive Reid
Hoffman in 2002 and makes money selling marketing services and
subscriptions to companies and job seekers.
LinkedIn shares closed 8 cents higher at $93.08 on