SAN JOSE, Calif. — A hacker claimed that he obtained more than 6 million LinkedIn passwords, leading the Mountain View, Calif., professional-networking service to investigate Wednesday whether its users’ information has been stolen.
A user uploaded almost 6.5 million passwords to a Russian Web forum, claiming that they were from LinkedIn; many of the passwords did include the words LinkedIn, according to media reports. While the list that was uploaded to the forum did not include user names, that does not necessarily mean whomever managed to extract the passwords did not also obtain the corresponding email addresses that match those accounts.
A tweet from an official LinkedIn account at about 9 a.m. EDT stated, "Our team is currently looking into reports of stolen passwords. Stay tuned for more." Nearly two hours later, another tweet said that LinkedIn had not been able to confirm a security breach, though the investigation was continuing.
The uploaded passwords are encrypted, and the hacker who uploaded them was reportedly seeking assistance in unlocking them. But the British Web security consultant who originally detailed the posted passwords said an investigation showed the passwords to be legitimate, and suggested that LinkedIn customers change their passwords immediately.
The consultant, Graham Cluley of web security company Sophos, wrote in his original blog post that "although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals."
Some users also reported on Twitter that they had found their encrypted, or "hashed," passwords on the list.
Marcus Carey, a security researcher at Boston-based Rapid7, told Reuters he was "highly confident" that hackers had wormed their way inside LinkedIn’s network for several days, based on his analysis of the data posted on the forums.
"While LinkedIn is investigating the breach, the attackers may still have access to the system," Carey warned. "If the attackers are still entrenched in the network, then users who have already changed their passwords may have to do so a second time."
LinkedIn claimed more than 161 million users at the end of its most recent quarter, on March 31, and said at the time that two new members were signing up every second.