LinkedIn: No accounts hacked as result of stolen passwords

LinkedIn today updated its users on the stolen password fiasco that arose last week in which 6.4 million passwords were illegally obtained and posted on a Russian Web site. According to a blog post from LinkedIn’s Vicente Silveira the company has received no reports that member accounts have been breached as a result of the stolen passwords. Silveira also said that the company is working with the FBI to “aggressively pursue the perpetrators of this crime.”

“First, it’s important to know that compromised passwords were not published with corresponding email logins,” Silveira wrote. “At the time they were initially published, the vast majority of those passwords remained hashed, i.e. encoded, but unfortunately a subset of the passwords was decoded. Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords. The only information published was the passwords themselves.”

Interestingly, LinkedIn’s stock — a strong performer since its IPO last year — has continued to do well over the past five days despite the embarrassing breach.

 

  • Tswann01

    So we should feel better that only the hacker (and anyone they may have shared them with other than by posting) knows the email addresses associated with the passwords?  Really?

    • http://twitter.com/locuslingua Jeremy Irish

      It says that the corresponding emails were not included with the passwords. So they have a bunch of (mostly) hashed passwords. That doesn’t forgive the lack of security but it does mean that it is a low likelihood that your account will get hacked. Unless your password is your email address ;)

      • http://threebrothers.org/brendan/ Brendan Ribera

        Of course the hackers wouldn’t publish the email addresses with the hashes — that would let anyone use the information. It’s hard to imagine a scenario in which the hackers could get the hashes but not the email addresses. The presumption *must* be that the hackers have both.

        • http://twitter.com/locuslingua Jeremy Irish

          Except that LinkedIn said the hackers didn’t have the emails. Read the blog post.

          • http://threebrothers.org/brendan/ Brendan Ribera

            No, that is not what they said. Their exact wording is that the passwords “were not published with corresponding email logins.” This is just semantic quibbling. Who did the publishing? The hackers, duh. Did the hackers publish everything? Unknown!

            Linkedin’s release is, of course, full of spin. If they actually knew that no email addresses were stolen, they’d say so directly instead of simply referring to what has been published.