Social network LinkedIn acknowledged that it has reached out to law enforcement to investigate how approximately 6.5 million passwords were exposed and posted on a Russian hacker site.
Our first priority was to lock down and protect the accounts associated with the decoded passwords that we believed were at the greatest risk.
Vicente Silveira, principal product manager, LinkedIn
In an update on the incident Thursday, LinkedIn said it would notify additional users. The company did not say how it suspects the passwords leaked or whether its systems were breached. In a blog post, Vicente Silveira, principal product manager at LinkedIn, apologized for the inconvenience the leaked password incident caused its members.
“We are also actively working with law enforcement, which is investigating this matter,”Silveira wrote. “To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member’s account as a result of this event."
Silveira said the company is disabling additional accounts and will reach out to the additional account holders that it determines “could potentially be affected.”
“Our first priority was to lock down and protect the accounts associated with the decoded passwords that we believed were at the greatest risk,” Silveira wrote.
The passwords were posted to the Russian site on Tuesday. They were hashed, but lacked a salt schema, an additional safeguard that is necessary to provide adequate protection, say security experts. In addition to LinkedIn, dating site eHarmony invalidated some of its member passwords alerting them via email to update their credentials. The company said that a small subset of the leaked passwords included its users. Radio streaming service Last.fm also issued a password alert, acknowledging that some of its user account passwords were included in the dump.
Facebook notifies potential password leak victims
A Facebook spokesperson said the social network is warning users who may be affected by the credential leak. The spokesperson did not say whether it had to restrict any victims from accessing their accounts.
“We have spent time investigating the information, as we do with every known credential leak, and are in the process of warning users who may be at risk as a result of sharing passwords between sites,” the spokesperson said.
Facebook validates every login to its site, regardless if the password is correct or not, to check for malicious activity. The company’s security team also analyzes traffic for anomalies that could signal malware or a hijacked account.
“People can protect themselves by never clicking on strange links and reporting any suspicious activity they encounter on Facebook,” the spokesperson said.
Google did not reset or invalidate any user accounts protected by passwords associated with the leak. A Google spokesperson provided a link to guidance it posted, explaining to users of Google+ about common password best practices and the security features it provides. The company urges uses to employ a strong, unique password for Gmail that isn’t used on any other websites. Users can also enable Google’s 2-step verification feature for extra protection.