LinkedIn's massive security breach: The fallout

The networking site is working overtime to contain a series of security lapses that put millions of user accounts at risk

Hackers published some 165,000 LinkedIn users' passwords online, and the company is now going through the list of people to tell them to reset their passwords.
(Image credit: CC BY: mariosundar)

LinkedIn has confirmed that more than six million users had their passwords stolen by hackers, and some 165,000 of those passwords have already been posted online. The popular networking site, which presents itself as a professional alternative to Facebook with a focus on business connections, has more than 150 million registered users worldwide. Will the site that boasts the slogan "relationships matter" be able to repair its relationship with worried users? Here's what you should know:

What exactly happened?

Early on Wednesday, reports began circulating that 6.5 million users had their account passwords stolen. Hours later, LinkedIn confirmed the security breach in a blog post. The company deactivated compromised accounts to protect users.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.


Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

How did hackers steal these passwords?

It's unclear how hackers got into the system in the first place, and the company won't say who the suspected culprit is. But here's what we do know: The stolen passwords were originally published to a Russian forum, and most "were posted in a simple cryptographic code, suggesting the networking site had been using outdated security precautions," says the Moscow Times. A few of the posted passwords included phrases like "recruiter," "googlerecruiter," "toprecruiter," "human resources," "hiring," and "linkedin." It's not known if the hackers know each password's corresponding user log-in.

How is LinkedIn handling this breach?

The company deactivated many accounts, and is contacting the owners of hacked accounts and urging them to reset their passwords. But in some ways, things are getting worse, as the hacks have spawned a new spam campaign targeting LinkedIn users: Emails that look like they're officially from the site's administrators are actually spambots illegally "phishing" for passwords. The company is reminding its users not to follow any embedded links (the official LinkedIn email to reset your password is link-free and requires users to copy and paste), and to check source addresses carefully.

How badly will this hurt LinkedIn's reputation?

It's certainly not helping. LinkedIn just became "the most annoying of all social media" sites, says Loren Steffy at the Houston Chronicle. The site already nags users to accept invitations from nepotists and strangers. If LinkedIn really wants to inspire confidence, it should "devote the same amount of attention it currently places on badgering its members on tighter security."

Sources: CNET, Gawker, The Houston Chronicle, Moscow Times, PC World, The Verge

Continue reading for free

We hope you're enjoying The Week's refreshingly open-minded journalism.

Subscribed to The Week? Register your account with the same email as your subscription.