LinkedIn password leak "could be" larger than first feared

News 7 Jun, 2012

Lack of "easy and duplicate" passwords on leaked list could mean more than 6.5 million LinkedIn users have been hit by breach, claims Imperva.

Social networking site LinkedIn has confirmed that some of its members’ passwords have been leaked online, but has shed no light on how many users may have been affected.

As reported by IT Pro yesterday, it has been claimed that nearly 6.5 million passwords belonging to LinkedIn members had been posted on a Russian web forum.

To put this figure into context, as of 31 March 2012, the social networking site had 161 million users across the globe, including 9 million in the UK.

In a LinkedIn blog post, one of the site’s directors, Vicente Silveria, confirmed that some of the compromised passwords belong to LinkedIn members’ accounts.

However, he stopped short of saying how many matching passwords were found or where the users they belong to might be located.

He did confirm, though, that affected users should find that their LinkedIn account passwords no longer work, and said they will be emailed details about how to reset them.

“We sincerely apologise for the inconvenience this has caused our members,” he wrote. “We take the security of our members very seriously.”

Meanwhile, security vendor Imperva claims the LinkedIn breach could be far bigger than initially thought, as the leaked list does not feature “easy” passwords.

“The files do not contain easy to crack passwords such as ‘123456’ that are traditionally the most common choice of passwords,” said the firm in a statement.

“Most likely, the hacker has figured out the easy passwords and needs help with less common ones...[meaning] many of the passwords haven’t been revealed.”

The company has pointed out that each password is “typically” listed only once, which also suggests the breach might exceed initial estimates.

“In other words, the list doesn’t reveal how many times a password was used by the consumers. This means that a single entry in this list can be used by more than one person,” it said.

“For reference, in the RockYou hack, the 5,000 most popular passwords were used by a share of 20% of the users. We believe that to be the case here as well, another indicator that the breach size exceeds 6.5 million.”