LinkedIn Reinforces Encryption After Last Week's Password Leak

The professional social networking site has still not given any details as to how the hack occurred.
By John Dunn
News Jun 14th 2012

LinkedIn has brought the encryption applied to all user passwords up to a more secure standard after last week's hugely embarrassing password hack, the company has announced.

This will count as a small consolation for anyone affected by the loss of 6.5 million passwords secured in an 'unsalted' state using the less secure 160 bit SHA-1 encryption algorithm.

The company said that after discovering the hack on the morning of 6 June, it had disabled published passwords it believed were at risk of exposure by the end of play on 7 June. None of the emails involved included email logins, the company claimed.

"After we disabled the passwords, we contacted members with instructions on how to reset their passwords," LinkedIn said. "At this time, there have been no reports of compromised LinkedIn accounts as a result of this password theft."

Importantly, the company said it had now completed an upgrade of the security applied to all accounts whether part of the hack or not which added the use of salted hashes.

Precisely what new security was now being employed - specifically whether 256-bit SHA-2 was part of the upgrade - the company's announcement is oddly evasive.