Networking site LinkedIn posted an update Saturday on the progress of the investigation into the theft of user passwords last week. In a blog post, Principal Product Manager Vicente Silveira stated
By the end of Thursday, all passwords on the published list that we believed created risk for our members, based on our investigation, had been disabled.
Vicente Silveira, principal product manager, LinkedIn
“By the end of Thursday, all passwords on the published list that we believed created risk for our members, based on our investigation, had been disabled. … After we disabled the passwords, we contacted members with instructions on how to reset their passwords,” Silveira wrote.
He also added that there have been no reports of unlawful access to any of the affected accounts, and the company is continuing to work with the FBI in pursuit of those responsible for the breach.
Going forward, Silveira wrote that the LinkedIn password database system has been hashed and salted, to provide two layers of protection, and that the security team will be “releasing additional enhancements to better protect [their] members.” He was not specific about what other security “enhancements” would be implemented.
As the company addresses the breach, which included 6.5 million LinkedIn passwords, it is also trying to reestablish confidence with its users. However, according to Cameron Camp, a security researcher at antivirus vendor ESET, that effort is already being challenged by a recent email phishing scam posing as LinkedIn and asking users to confirm their passwords.
“We are investigating the exact details but in the meantime, please DO NOT CLICK on links in email to change or verify account information at LinkedIn.com or on any other membership site,” wrote Camp in a blog post on the password leak. He suggested navigating to the site by typing the address directly into the browser.
Camp added that they have not confirmed whether this is a coordinated scam designed to leverage the breach, or if the timing is just a coincidence.
“Sadly, we are likely to see more of these emails as LinkedIn tries to rebuild trust among members,” he said.
Both the LinkedIn and ESET blogs included a suggestion that users who have not been affected should also change their passwords, as part of a best practice. According to Camp, creating a new and unique password every few months is a good idea for all the sites you access.
It is especially critical for LinkedIn, he argued, because that account probably contains more important and accurate information related to your professional life, compared to more social sites such as Facebook. As a result of the nature of the network and its notification system, he said, “mess with somebody’s professional profile on LinkedIn, and you’re messing with their life, and their contacts know about it.”