First, it’s important to know that compromised passwords were not published with corresponding email logins. At the time they were initially published, the vast majority of those passwords remained hashed, i.e. encoded, but unfortunately a subset of the passwords was decoded. Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords. The only information published was the passwords themselves. Here are the most common questions we are being asked by our members: 1. Am I at risk of having my account breached? Thus far, we have no reports of member accounts being breached as a result of the stolen passwords. Based on our investigation, all member passwords that we believe to be at risk have been disabled. 2. News of the theft broke on Wednesday. Why didn’t I immediately receive notification that my password was disabled?As soon as we learned of the theft, we launched an investigation to confirm that the passwords were LinkedIn member passwords. Once confirmed, we immediately began to address the risk to our members, prioritized as follows:
By the end of Thursday, all passwords on the published list that we believed created risk for our members, based on our investigation, had been disabled. This is true, regardless of whether or not the passwords were decoded. After we disabled the passwords, we contacted members with instructions on how to reset their passwords. 3. What is LinkedIn doing to protect its members? We have built a world-class security team here at LinkedIn including experts such asGanesh Krishnan, formerly vice president and chief information security officer at Yahoo!, who joined us in 2010. This team reports directly to LinkedIn’s senior vice president of operations, David Henke. Under this team’s leadership, one of our major initiatives was the transition from a password database system that hashed passwords, i.e. provided one layer of encoding, to a system that both hashed and salted the passwords, i.e. provided an extra layer of protection that is a widely recognized best practice within the industry. That transition was completed prior to news of the password theft breaking on Wednesday. We continue to execute on our security roadmap, and we’ll be releasing additional enhancements to better protect our members. 4. My password has not been disabled, what should I do now? If your password has not been disabled, based on our investigation, we do not believe your account is at risk. However, it is good practice to change your passwords on any website you log into every few months. For that reason, we have provided information to all of our members via theLinkedIn Blog, as well as a banner on our homepage instructing members on how to change their passwords.