Many sources are posting today about LinkedIn passwords that potentially leaked online from about 5% users (6.5 million out of 150 million LinkedIn users worldwide). A hacker has leaked 118 Mb file of the hashed passwords to a Russian forum. Fellow hackers have begun to decrypt the hash. The forum is currently offline. It looks as though some of the weaker 300,000 passwords may have been cracked already. LinkedIn fails to find evidence so far of password leak. The passwords are encrypted with the SHA-1 cryptographic hash function, used in SSL and TLS. Here are LinkedIn’s responses:
To be safe, Change your LinkedIn password ASAP. As always it’s better to be safe about these things. It’s also unclear if the hackers got hold of LinkedIn usernames.
1. To change your LinkedIn password, log onto your account.
2. Click on your name in the upper right corner and then click on the link for Settings.
3. In the Settings section, click on the Change link next to Password.
In other news, LinkedIn’s iOS app potentially violates user privacy by sending detailed calendar entries to its servers. According to LinkedIn’s mobile app head Joff Redfern:
In order to provide our calendar service to those who choose to use it, we need to send information about your calendar events to our servers so we can match people with LinkedIn profiles. That information is sent securely over SSL and we never share or store your calendar information.
In an effort to make that algorithm for matching people with profiles increasingly smarter we pull the complete calendar event, including email addresses of people you are meeting with, meeting subject, location and meeting notes.
The company has already promised that it will no longer pick up meeting notes from your calendar and add a “learn more” link to explain how your calendar data is being used.
PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.