LinkedIn password leak "could be" larger than first feared

News
By
published

Lack of "easy and duplicate" passwords on leaked list could mean more than 6.5 million LinkedIn users have been hit by breach, claims Imperva.

Linkedin logo

Social networking site LinkedIn has confirmed that some of its members' passwords have been leaked online, but has shed no light on how many users may have been affected.

As reported by IT Pro yesterday, it has been claimed that nearly 6.5 million passwords belonging to LinkedIn members had been posted on a Russian web forum.

To put this figure into context, as of 31 March 2012, the social networking site had 161 million users across the globe, including 9 million in the UK.

In a LinkedIn blog post, one of the site's directors, Vicente Silveria, confirmed that some of the compromised passwords belong to LinkedIn members' accounts.

However, he stopped short of saying how many matching passwords were found or where the users they belong to might be located.

He did confirm, though, that affected users should find that their LinkedIn account passwords no longer work, and said they will be emailed details about how to reset them.

"We sincerely apologise for the inconvenience this has caused our members," he wrote. "We take the security of our members very seriously."

Meanwhile, security vendor Imperva claims the LinkedIn breach could be far bigger than initially thought, as the leaked list does not feature "easy" passwords.

"The files do not contain easy to crack passwords such as 123456' that are traditionally the most common choice of passwords," said the firm in a statement.

"Most likely, the hacker has figured out the easy passwords and needs help with less common ones...[meaning] many of the passwords haven't been revealed."

The company has pointed out that each password is "typically" listed only once, which also suggests the breach might exceed initial estimates.

"In other words, the list doesn't reveal how many times a password was used by the consumers. This means that a single entry in this list can be used by more than one person," it said.

"For reference, in the RockYou hack, the 5,000 most popular passwords were used by a share of 20% of the users. We believe that to be the case here as well, another indicator that the breach size exceeds 6.5 million."

Caroline Donnelly
Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.