By the time it became news that 6.5 million passwords from LinkedIn had been posted on a hacker Web site last week, the Internet company had “salted” all its passwords, making them significantly more difficult to crack, according to LinkedIn.
In a blog post, the company also described how it was not aware of any improper access to accounts resulting from the breach. It also described some of the steps it took to quickly protect users’ privacy.
Compromised passwords were not published with corresponding e-mail log-ins, according to the post, written by director Vicente Silveira. When published, the “vast majority” of passwords were hashed, or encoded, but a subset of the passwords was not.
The company said that it had disabled “all member passwords that we believe to be at risk.” Such members were sent e-mails, asking them to reset their passwords. The company added that for members who had not had their passwords disabled, “we do not believe your account is at risk.”
The company also said that by the time news broke about the breach, all member passwords had been “salted,” a technique that increases the computer time needed to crack an encrypted password. An initiative had already been underway to transition from just hashing passwords, to hashing and salting them, the post said.
LinkedIn didn’t say how the passwords were hacked. But it said it was working with investigators. “We take this criminal activity very seriously so we are working closely with the FBI as they aggressively pursue the perpetrators of this crime.”
Additional security enhancements to the site are planned, the post said, though it didn’t describe what those enhancements might be.
photo by smi23le/flickr