Hackers Steal 6.5 Million Passwords using LinkedIn’s iOS App

Hackers Steal 6.5 Million Passwords using LinkedIn's iOS App; Fix Submitted to the Apple Store

LinkedIn, the professional network sevice, recently announced privacy policy chages, which the company was bringing in effect w.e.f. June 7. "we're planning to update our Privacy Policy and User Agreement to provide you greater control over your data with further clarity on our terms," the company posted in a June 1st blog post.

Shortly before that, the website run into a privacy issues, with the reports that hacker have stolne more than 6.5 millions of account credentials.

Around 6.5 million encrypted LinkedIn passwords were recently posted to a Russian hacker site, according to Norwegian website Dagens. Many of those hacked passwords have now been decrypted, confirmed LinkedIn, in a blog acknowledging the breach, "We want to provide you with an update on this morning's reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts," posted Vicente Silveira.

LinkedIn 6.5 Million Passwords Hacked

A security research firm Imperva notes, that the number compromised passwords could be far higher than the 6.5 million initially reported, "We believe the size of the breach is much bigger than the 6.5M accounts," wrote Imperva researcher Rob Rachwald. "Most likely, the hacker has figured out the easy passwords and needs help with less common ones, so the hacker only published the more complicated ones. Most likely, many of the passwords haven't been revealed."

"The list doesn't reveal how many times a password was used by the consumers. This means that a single entry in this list can be used by more than one person," wrote Rachwald.

While researchers from Skycure also accused LinkedIn's iOS app of secretly snagging users' data. The researchers Yair Amit and his colleague Adi Sharabani found the problem affects users that enable the feature which allows them to view their iOS calendar within the app.

"The app doesn't only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes," the researchers wrote. They said they informed LinkedIn about the potential risk of obtaining user details without permission, but the issue had not yet been fixed.

Responding to the report, LinkedIn's mobile product manager Joff Redfern wrote, the app feature had been intended to provide a better calendar service for its users. "We do not store any calendar information on our servers." he said. "We do not share or use your calendar data for purposes other than matching it with relevant LinkedIn profiles." And, that "We do not under any circumstances access your calendar data unless you have explicitly opted in to sync your calendar," he said.

Redfern promised to update the app, "We will no longer send data from the meeting notes section of your calendar event. And, there will be a new "learn more" link to provide more information about how your calendar data is being used," he said.

These improvements are live on Android now and have been submitted to the Apple store and will be available shortly.

Update: In a June 8 blog entry, LinkedIn said on the issue, that they are working closely with the FBI as they aggressively pursue the perpetrators of this crime. "We want to be as transparent as possible while at the same time preserving the security of our members without jeopardizing the ongoing investigation," Vicente Silveira, wrote.

Silveira insists, "... we have no reports of member accounts being breached as a result of the stolen passwords." "At the time they were initially published, the vast majority of those passwords remained hashed, i.e. encoded, but unfortunately a subset of the passwords was decoded," he adds.

He notes, that If a user password has not been disabled, "based on our investigation, we do not believe your account is at risk."

The entry also notes, that LinkedIn has built a world-class security team, and includes a team of experts such as Ganesh Krishnan, formerly vp and cio at Yahoo!, reporting directly to LinkedIn's svp of operations, David Henke.

"Under this team's leadership, one of our major initiatives was the transition from a password database system that hashed passwords, i.e. provided one layer of encoding, to a system that both hashed and salted the passwords, i.e. provided an extra layer of protection that is a widely recognized best practice within the industry. That transition was completed prior to news of the password theft breaking on Wednesday. We continue to execute on our security roadmap, and we'll be releasing additional enhancements to better protect our members," Silveira stated.