LinkedIn: We see no security breach... so far

The company's initial investigation hasn't yet turned up any breach of security in its systems related to the reported hacking of millions of user passwords. Which could be worrying in itself.

Lance Whitney
Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
2 min read
The reported list of leaked hashed LinkedIn passwords.
A snippet of the file containing reportedly leaked (and encrypted) LinkedIn passwords, obscured for security Screenshot by Lance Whitney/CNET

Update 1:11 p.m. PT: LinkedIn confirms that passwords were "compromised."

So far, LinkedIn has come up empty on the password leak reported earlier today.

The company's latest tweet simply states that "our team continues to investigate, but at this time, we're still unable to confirm that any security breach has occurred. Stay tuned here."

Assuming the initial report was authentic, LinkedIn's failure to find any sign of compromise in its system doesn't jibe with the number of people on Twitter who say they've found their own hashed LinkedIn passwords on the list. The security firms Sophos and Rapid7 told the Wall Street Journal that they have also identified the known LinkedIn passwords of colleagues in the file.

Wall Street is also concerned. Shares of LinkedIn are off more than 1 percent on a day when tech stocks overall are rallying.

A link to the reported list led to a text file called combo_not.text, hosted on a Russian server. That file contains 6,458,021 40-character hexadecimal strings, which is consistent with the report of almost 6.5 million hashed passwords allegedly leaked.

The initial story was triggered after a user in a Russian forum claimed that he hacked and uploaded almost 6.5 million LinkedIn passwords onto the Web.

Many of the hashed passwords reportedly include the word "linkedin," which The Verge and other sources believe lends credibility to the claim.

LinkedIn passwords are encrypted using the SHA-1 algorithm, which is considered highly secure. But some reports say that groups of hackers are working on decrypting the passwords. Complex passwords won't be easy to crack, but simple ones are vulnerable.

Whether or not the report turns out to be accurate, LinkedIn users should take the precaution of changing their passwords, a process detailed in a blog by Sophos security expert Graham Cluley and in CNET's initial story on the password hack.

LinkedIn, meanwhile, offered users a statement explaining how to change passwords and take other security best practices today. The statement said LinkedIn continues to investigate the report of stolen passwords.

Updated 11:18 a.m. PT: Added LinkedIn statement on security best practices and the ongoing investigation.