LinkedIn, the social network for professionals, has confirmed that over six million of its user's passwords have been compromised and posted on a Russian web forum. According to a report by the BBC, the post also invites members of the hacking community to help decrypt the encrypted passwords.
LinkedIn said that affected users will receive an email advising them that their account has been compromised with a reset password link and instructions on how to do so. Members that have been affected will also notice that their current password will no longer work as it's not "valid” due to being amongst the stolen data.
"We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously. If you haven't read it already it is worth checking out my earlier blog post today about updating your password and other account security best practices,” said LinkedIn's director Vicente Silveira.
The news comes following the discovery of a potential privacy concern over calendar entries sent from iOS devices to LinkedIn servers. The iOS LinkedIn app sends detailed lists including a list of meeting participants, subjects, locations and times of meetings as well as conference call details and passcodes.
It's thought that this violates Apple's privacy guidelines which state "[a]pps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used”.
It seems that when the LinkedIn app is launched on an iOS device, the app automatically sends all calendar entries for the next five days; email addresses and names of people who may be attending the meeting or conference call are also included, even for those who don't have a LinkedIn account.
The researchers who uncovered the problem have informed LinkedIn, who say the issue is "being examined by their Risk and Privacy Operations team”.
Skycure Security, who are responsible for discovering the flaw, recommend that users take the following steps in order to ensure their data is secured:
1. Click on the LinkedIn icon in the upper left part of the screen
2. Click on the "You” view
3. Click on the settings icon in the upper right part of the screen
4. Click on the "Add Calendar” option in the Settings page
5. Toggle off the "Add Your Calendar” option.
In light of this iOS app flaw, alongside the stolen passwords, it would seem that the LinkedIn privacy team will have their work cut out to address these problems in the coming weeks.