If you have a LinkedIn profile, go change your password right now: A reported 6.5 million hashed and otherwise encrypted LinkedIn passwords have leaked onto the Web. And yours could be one of them.
Unfortunately for the professional social network (and its users), the massive security breach isn't the only bad news. The LinkedIn iOS app has also come under fire for sending users' full meeting notes and calendar details to the company in the highly un-secure plain text format.
LinkedIn password leak
The massive password leak, first reported by Norwegian technology site Dagens IT and later confirmed by other cybersecurity experts, occurred two days ago, when someone posted the cache of encrypted passwords to a "Russian hacker website." The poster asked that other users help decrypt the passwords.The leak was confirmed by security expert Per Thorsheim, who spoke with Dagens IT, and warned users of the breach via Twitter.
In a tweet, LinkedIn indicated that it is "currently looking into reports of stolen passwords," and will update users shortly.
At the time of this writing, some 300,000 of the 6.5 million encrypted passwords have been cracked, meaning those users are now vulnerable to a variety of attacks. But that number is sure to rise as more hackers take a stab at the list.
LinkedIn currently has more than 150 million users, so it's not guaranteed that your account is compromised, though it would be prudent to assume as much. Furthermore, breaches like this often result in a wave of scam emails, posing as messages from LinkedIn about the breach, so be wary of any emails that appear to have come from the social network. It's best to simply log into the site directly by typing the address into your browser, and change your password from there.
iOS app privacy concerns
Before news of the password leak landed on LinkedIn's doorstep early this morning, The Next Web reported that the service's iOS app for iPhone and iPad sends a variety of information, including meeting notes and other details, to LinkedIn's servers in plain text format, an unsecure data transfer method. The information is only relayed if users have the calendar viewing feature enabled.
The potentially problematic practice of sending private data in plain text to LinkedIn's servers was uncovered by Israeli security researchers Yair Amit and Adi Sharabani of Skycure Security.
LinkedIn has since responded to The Next Web report, confirming the practice, though the company says that it does not "store any calendar information on its servers," nor does it "share or use your calendar data for purposes other than matching it with relevant LinkedIn profiles." The company also said that it "will no longer send data from the meeting notes section of your calendar event," given that this part of the practice seemed the most troublesome to users. Email addresses, names, meeting subject, and location will still be sent to LinkedIn.
In Case You Missed It: