If you have a LinkedIn account, you should stop reading this right now and change your password. Once you’ve secured your account, come back and read the rest of this story. I’ll wait.
Done? O.K., on with the story. TheNextWeb has just reported that 6.5 million encrypted passwords have recently been posted to a Russian hacker forum, many of them come from LinkedIn. Additionally, the social networking site for professionals is under scrutiny as it has been discovered that, until today, calendar information was being sent to the LinkedIn servers without explicit permission from users.
Norwegian IT website Dagens IT first reported the password hack, and security researcher Per Thorsheim confirmed the reports through Twitter, saying that the attackers have posted the encrypted passwords in order to get help cracking them. Once decrypted, CERT-FI says that the attackers will have access to user data as well as passwords.
TheNextWeb is reporting that more than 300,000 passwords have already been decrypted, so if you didn’t follow my advice and change your LinkedIn password already, do it now. Seriously. The company has posted an official update to this password breech on their Twitter feed, stating, “Our team is currently looking into reports of stolen passwords. Stay tuned for more.”
LinkedIn is having a bad week when it comes to security. Yesterday, The New York Times reported that the businessman’s social site had been transmitting calendar information from iOS apps to their servers without making it clear to users what data was being sent.
Mobile security researchers Yair Amit and Adi Sharabani discovered that LinkedIn’s mobile app for iOS includes an opt-in feature that allows users to view their calendar updates from within the app. This is a very handy feature, except that LinkedIn was automatically transmitting calendar entries to its servers. Every detail was sent, including personal notes, like conference call numbers or sensitive meeting notes that someone added to their event. Not only that, but the calendar sync did not delineate between business and personal calendar information. So, if someone were to add a personal event about going to the doctor and added a note about finding out if she were pregnant, this information was no longer private.
The company claimed that the information was being sent to its servers to match LinkedIn profiles so that users would know more about the person they were meeting with. Researchers Amit and Sharabani responded by saying, “In order to implement their acclaimed feature of synchronizing between the people you meet and their LinkedIn profile, all LinkedIn needs is unique identifiers of the people you are going to meet with, not all the details of your planned meetings.”
LinkedIn has since gone out of their way to rectify the issue. This morning, the company issued a statement regarding the mobile calendar feature saying they don’t store the information or share it for any other purposes than matching it with relevant LinkedIn profiles. They also made it clear that the only time calendar data is transmitted is when users opt-in to the syncing feature.
The company has gone even further to remedy the situation by updating their app, and changing the way they collect data, including no longer sending data from the meeting notes section of a calendar event.