LinkedIn has confirmed that "some" of the stolen passwords posted online by a hacker correspond to accounts on the professional networking site.
The confirmation came after reports that 6.5 million encrypted stolen passwords had been posted on a Russian web forum, and that hackers were working on decrypting them.
LinkedIn has withdrawn all compromised passwords and undertaken to send all affected users an e-mail with instructions on how to reset their passwords.
The professional networking site said all affected members will also receive a second e-mail providing more context on the situation and advising why they have to reset passwords.
"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," said LinkedIn's Vicente Silveira in a blog post.
Password duplication is a foolish habit
Rob Cotton, chief executive, NCC Group
In an earlier posting, Silveira advised LinkedIn members about updating their passwords and other security best practices.
Information security experts have advised all LinkedIn members to change their passwords as a precautionary measure and never to use the same password for multiple web services.
Anyone using the same login details for LinkedIn as they do on other sites are also advised to change their passwords on those sites.
“This is a timely reminder of the importance of good password practice. Duplication is a foolish habit," said Rob Cotton, chief executive at global information assurance firm, NCC Group.
How to change LinkedIn passwords
- Log in to your LinkedIn account
- Hover over your name in the top right-hand corner of the screen, and select "Settings"
- You may be asked to re-enter your login details at this point
- On the next screen, click the "Account" button near the bottom of the page
- Under the "Email & Password" heading, you will find a link to change your password
If a password is cracked through one site, he said, it can then be cross-checked against others, and those whose LinkedIn password is the same as their bank account or business login details are putting themselves, and their companies, at serious risk.
The fact that the leaked passwords are seven or eight months old, Cotton said, is a clear indication of the importance of changing a password regularly.
"Using online password managers can offer an extra layer of security against ID fraud and remove the headache of juggling multiple passwords," said Andy Dancer, chief technology officer at security firm Trend Micro.