LinkedIn has confirmed that some of its users' passwords have been compromised and said it is continung to investigate claims that a member of a Russian online forum hacked the popular networking site and uploaded close to 6.5 million passwords to the internet.
In a blog post issued late Wednesday afternoon, LinkedIn said the passwords of users whose data had been compromised would no longer work, and they would be sent emails advising them how to change them. It would not say how many passwords had been leaked.
The passwords were allegedly uploaded encrypted and without usernames since the hacker's aim seems to have been to demonstrate that the LinkedIn site is not secure rather than to use the personal information of its users.
But according to The Verge technology news website, which broke the news, the encryption used is not foolproof, leaving open the possibility that the passwords could be accessed by someone else.
The Verge reported that some LinkedIn users have found hashed versions of their passwords on the uploaded list and recommended that all LinkedIn users change their passwords as a precaution.
The company itself included a reminder about best practices with regard to passwords in a blog post about its investigation of the possible password leak.
"One of the best ways to protect your privacy and security online is to craft a strong password, to change it frequently (at least once a quarter or every few months) and to not use the same password on multiple sites," LinkedIn product manager Vicente Silveira wrote.
"Use this as an opportunity to review all of your account settings on LinkedIn and on other sites, too."
LinkedIn is a popular site where professionals post profiles in order to network with others in their field, look for jobs or as a way of advertising themselves to potential employers. As of November 2011, it had 131 million users and more than one million groups.
2nd security headache this week
The latest news comes just as the company is addressing security concerns about its mobile app for iPhones and Android smartphones, which syncs information in your phone calendar with LinkedIn profiles to provide details about people you are meeting at events listed in your calendar.
Earlier this week, it was reported that the app was collecting all of the details entered into the phone's calendar functions, including passcodes, emails, meeting notes or private phone numbers for teleconferences that were never intended to be shared, and transmitting the information to the company's servers. Concerns were raised that this might violate users' privacy.
The company responded by saying the calendar sync function is an opt-in feature that users have to agree to and that the information is transmitted securely and never stored or shared. Nevertheless, it did alter the app and will now no longer send data from the meeting notes section of calendar events to its servers during the syncing process.