LinkedIn hacked: over six million passwords compromised and published

Last year's LinkedIn password hack shook the business-oriented social network to its core. Millions of usernames and passwords were published online in one of the largest security breaches ever. But where LinkedIn saw a PR nightmare and users saw a security concern, conceptual artist Aram Bartholl saw art.

Forgot Your Password is a set of eight books containing some 4.7 million passwords that were leaked in June 2012. Visitors to the exhibit, which has toured Europe and is currently residing in Bartholl's native Germany, are invited to look through the volumes to see if their password is inside. Each password is arranged alphabetically and presented without its linked username(s). In addition to the books, Bartholl has also exhibited a pair of prints called Private Password, which contain 10,000 passwords each.

Last week's breach at LinkedIn resulted in the leak of 6.46 million user passwords, but with some basic security measures in place it could have been avoided. The New York Times reports that "on a grading scale of A through F, experts say, LinkedIn, eHarmony and Lastfm.com would get, at best, a 'D' for password security" because the three sites — all of which were hacked last week — only took one step to secure user passwords. The article explains that an inexpensive way to securely store user data is to first hash the passwords, then to salt them, then to hash them again and store them on secure servers, but the three sites that were hacked last week only took the first step in this process. LinkedIn says that "prior to news" of the breach, the site began hashing and salting user passwords, but hopefully companies will take this step much sooner in the future.

LinkedIn has yet to receive any reports of unauthorized account access after 6.5 million user passwords were posted online by hackers, the company said in a blog post today. Although the perpetrators managed to crack and reveal a "small set" of hashed passwords, LinkedIn hasn't seen any evidence indicating that the email addresses tied to those credentials have also been shared.

"To the best of our knowledge, no email logins associated with the passwords have been published" says Director Vicente Silveira. He adds that the professional networking site is now working with law enforcement to investigate the breach, a process we imagine has only intensified thanks to similar attacks carried out on other popular web destinations in the days since.

Reports started swirling this morning that more than six million users had their account passwords stolen, and now the company has confirmed the security breach with a post on its blog — though the company hasn't yet confirmed how many accounts were compromised.

Affected users will receive an email from LinkedIn with instructions on how to reset their password. This doesn't appear to be the standard password reset procedure, either — any affected user will automatically be locked out of their account, and the password reset email being sent by LinkedIn won't contain any links to the site. LinkedIn will also be sending affected members a second email from their customer service department detailing the circumstances behind the breach. We can't help but feel that all of the service's members deserve to know exactly what happened — they've entrusted their personal data to LinkedIn, regardless of whether their passwords were stolen or not.