If you’re a LinkedIn user, do yourself a favor and change your password right now — according to a new report from Dagens IT, nearly 6.5 million encrypted LinkedIn passwords were dumped onto a Russian hacker forum.
The news comes right on the heels of yet another user security kerfuffle, as the most recent LinkedIn for iOS update was found to transmit users’ meeting notes back to LinkedIn servers without their permission.
Of the millions of passwords dumped, Dagen IT reports that nearly 300,000 of them have been decrypted so far and that number seems sure to grow as users spread that hefty file around.
The passwords are stored as unsalted SHA-1 hashes, and multiple reports on Twitter indicate that users have found their own hashes buried in the massive text dump. While unsalted hashes are much less secure than their salted brethren, it still takes a non-trivial amount of time to decrypt unless a user opted to use a common dictionary word as their password. It’s currently unknown whether or not the email addresses that correspond to those passwords have also been dumped, though if they are in someone’s possession, they apparently don’t feel like sharing.
Considering that LinkedIn reported back in February that 150 million people use the professional networking service (a number that has certainly grown since then), the breach represents a relatively small number of users. Though chances are slim that you yourself are personally affected — 6.5 million people makes up less than 5% of LinkedIn’s userbase — those odds seem unlikely to assuage the concerns of people who are.