Maybe LinkedIn (NYSE: LNKD) should change its name to LeakedIn. On Wednesday, the business networking site said it is investigating a user's post from a Russian forum that claims he hacked LinkedIn, uploading 6,458,020 encrypted passwords to the site as proof.
Our team is currently looking into reports of stolen passwords, the company tweeted on Wednesday morning. Stay tuned for more.
This hacking claim comes just hours after the company officially responded to alleged privacy issues in its iOS app, after Skycure Security discovered that LinkedIn automatically sends user calendar entries into its servers, including the subject, location, the time of meeting, as well as the meeting notes.
You may have seen a few press stories highlighting concerns about how your data is used in the opt-in calendar feature of our mobile phone apps, said Joff Redfern, LinkedIn's mobile product head. For those not familiar with our calendar feature, with your permission, we sync with your mobile device's calendar to provide information about the people you are about to meet by showing you their LinkedIn profile. ... That information is sent securely over SSL and we never share or store your calendar information.
LinkedIn has been swift to respond to these issues -- at least on its company blog and on its Twitter account -- but the company needs to post these notes on its homepage. In this way, LinkedIn is being extremely irresponsible not to tell people that they need to change their passwords.
That reminds me: If you have a LinkedIn account, you need to change your password now. This claim, if it turns out to be legitimate -- which it looks like -- would be a serious breach of security. The Russian forum user did not post any email addresses, as they appeared encrypted and unreadable, but Finnish security firm CERT-FI warns that hackers may still have access. If you use this password with any other account, it's best to change it now.
LinkedIn encrypts its passwords using an algorithm called SHA-1, which tech experts consider to be highly secure. Even though some complex passwords could take longer to decrypt, many of the 300,000 weaker passwords on LinkedIn -- those that use fewer variables like mixing in numbers, symbols, and uppercase and lowercase letters -- have likely been cracked already.
One reader from ZDnet said they searched and discovered their own password in the Russian forum user's uploaded cache. Other reports are still coming in.
LinkedIn, which went public on May, 19, 2011, began its first day of trading at $93 a share. The shares hit an intraday low of $91.60 on Wednesday. Assuming, LinkedIn makes an official announcement about the leaks this afternoon, the shares could tumble. Nobody's fond of a leaky ship, and two leaks in one day might be a too big a pill to swallow for investors.
LinkedIn has more than 150 million users worldwide, many of whom are not too pleased right now.
Our team is currently looking into reports of stolen passwords. Stay tuned for more.
— LinkedIn (@LinkedIn) June 6, 2012