UPDATE: LinkedIn confirms hacking. Read more here.
A user in a Russian forum is claiming to have hacked LinkedIn to the tune of almost 6.5 million account details. The user uploaded 6,458,020 hashed passwords, but no usernames. It's not clear if they managed to download the usernames, but it's likely that both have been downloaded.There is a possibility that this could be a hoax, but several people have said on Twitter that they found their real LinkedIn passwords as hashes on the list. Many of the hashes include "linkedin," which seems to add credence to the claims.
We spoke with Mikko Hypponen, Chief Research Officer at F-Secure, who thinks this is "a real collection." He told us he is "guessing it's some sort of exploit on their web interface, but there's no way to know. I am sure sure LinkedIn will fill us in sooner or later."
It's worth noting that the passwords are stored as unsalted SHA-1 hashes. SHA-1 is a secure algorithm, but is not foolproof. LinkedIn could have made the passwords more secure by 'salting' the hashes, which involves merging the hashed password with another combination and then hashing for a second time. Even so, unless your password is a dictionary word, or very simple, it will take some time to crack. We've reached out to LinkedIn to determine the accuracy of the claims, but in the meantime, we recommend changing your password just in case.
Update: LinkedIn has just tweeted that it is looking into the matter.
Our team is currently looking into reports of stolen passwords. Stay tuned for more.— LinkedIn News (@LinkedInNews) June 6, 2012
Update 2: LinkedIn has tweeted again, and has been unable to confirm any security breach yet. Given the growing number of users that have found their password in the hashes, that's worrying news.
Our team continues to investigate, but at this time, we're still unable to confirm that any security breach has occurred. Stay tuned here.— LinkedIn News (@LinkedInNews) June 6, 2012
Update 3: Security researcher Steve Gibson has highlighted a website which will check if your password can be found on the list of stolen hashes. Bear in mind if you have a common password a positive result may not mean that your account has been compromised.