MOUNTAIN VIEW (CBS/AP) – Business social network LinkedIn has confirmed that passwords have been stolen and leaked onto the Internet, but did not indicate that the number was more than 6 million, as had been reported.
Mountain View-based LinkedIn confirmed that user data had been compromised, and researchers at U.K. Web security company Sophos say they have confirmed that a file posted online does contain, in part, LinkedIn passwords “hashes.” That’s a way of encrypting or storing passwords in a different form.
Graham Cluley, a consultant with Sophos, recommended that LinkedIn users change their passwords immediately.
LinkedIn has a lot of information on its more than 160 million members, including potentially confidential information related to jobs being sought. Companies, recruiting services and others have accounts alongside individuals who post resumes and other professional information.
In a blog posting Wednesday afternoon, CNET Director Vicente Silveira said members with compromised passwords would find that their existing password would not work. Silveira said that affected users would be receiving email notifications with information on resetting the password. No links will be included in the email, according to the post.
There’s added concern that many people use the same password on multiple websites, so whoever stole the data could use the information to access Gmail, Amazon, PayPal and other accounts, Cluley said.
Cluley said hackers were working together to break the encryption on the passwords.
“All that’s been released so far is a list of passwords and we don’t know if the people who released that list also have the related email addresses,” he said. “But we have to assume they do. And with that combination, they can begin to commit crimes.”
It wasn’t known who was behind such an attack.
Cluley also warned that LinkedIn users should be careful about malicious email generated around the incident. The fear is that people, after hearing about the incident, would be tricked into clicking on links in those emails. Instead of getting to the real LinkedIn site to change a password, it would go to a scammer, who can then collect the information and use it for criminal activities.
(Copyright 2012 by CBS San Francisco. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed.)