Internet forums are currently circulating a list containing over six million password hashes which allegedly originate from LinkedIn. The passwords are being cracked collaboratively with about 300,000 passwords already published as plaintext.

The list contains pure SHA1 hashes with no name or email addresses. If decrypted, the passwords will not easily give access to an appropriate account. However, it is probable that the person who captured the hashes also has the corresponding email addresses. In an initial sampling, The H's associates at heise Security didn't find any known LinkedIn passwords in the list, but with over 160 million members that doesn't mean a lot. The already cracked passwords often contain "linked" or even "linkedin" in the form, for example, of "lawrencelinkedin". This suggests that the passwords actually come from the LinkedIn social network. However, this has not yet been confirmed.

The shocking reality is that even passwords "parikh093760239", "a06v1203n08" and "376417miata?" have already been cracked. This is due to the fact that the hashes were obviously generated without salt. This makes them easy targets for attacks using rainbow tables, which makes it possible to crack even passwords that are believed to be strong in just a few hours. For a view of what a server administrator needs to do to prevent this, read the article Storing passwords in uncrackable form at The H Security.

Whatever the case, you cannot rely on your own password to remain uncracked and so, if you have a LinkedIn account, you should change the password as soon as possible. You should also do the same for all other services where you used the same password or password root as on LinkedIn.

Update (6/6/2012 17:46) - LinkedIn has confirmed that it is investigating the incident. In the meantime, several reputable sources have said that they have found their LinkedIn passwords in that list; it can therefore be assumed that the social network's operator actually does have a problem.

Pages are already appearing on the internet that prompt you to enter your password to verify whether you are affected; these are phishing sites. It is also expected that there will be waves of spam email soon which will call for you to change your password with a link to a LinkedIn-impersonating phishing site. Instead of following these links, either enter the LinkedIn URL yourself (linkedin.com) or use a stored bookmark to visit the social network and change your password.

Update (7/6/2012) - LinkedIn in has now confirmed that some of the compromised passwords correspond to accounts belonging to its members.

(djwm)