LinkedIn defends reaction in wake of password theft

Service says it doesn't think any accounts were hacked after password theft.

LinkedIn Corp. moved to reassure customers about the security of their data, following a password theft that caused a black eye for the social-networking service.

LinkedIn said in a blog post over the weekend that it had received no reports that member accounts were breached as a result of the stolen passwords. The Mountain View, Calif., company has come under fire since 6.5 million user passwords were stolen and published on an unauthorized website Wednesday.

Some security experts questioned the adequacy of LinkedIn's procedures for protecting passwords, and some users complained about delays in receiving information about the incident.

Vincente Silveira, a LinkedIn director, defended the company. He said in a blog post that the company is working closely with the Federal Bureau of Investigation as it "aggressively" pursues the perpetrators of this crime.

How the passwords were stolen remained unclear. The company declined to comment beyond the blog post, citing the investigation.

"As soon as we learned of the theft, we launched an investigation to confirm that the passwords were LinkedIn member passwords," Mr. Silveira wrote.

"Once confirmed, we immediately began to address the risk to our members." He said the company disabled passwords that were published and alerted their users to reset the passwords.

The majority of passwords that were published weren't decoded or published with corresponding log-in information, he said, so the company didn't believe that any accounts were hacked. The company says it has 160 million members.

The social-networking service for professionals has been criticized for not including an extra layer of password security known as salting, and for not having a chief security officer.

Mr. Silveira said Ganesh Krishnan, the head of LinkedIn's India technology center and the man considered the company's security czar, led an initiative to update passwords with the salting procedure.

Mr. Krishnan is a former chief information-security officer for Yahoo Inc.

The company didn't indicate whether the salting initiative was completed before the theft.

LinkedIn's password security was considered state-of-the-art three or four years ago, but it since has become easier for a criminal to crack, said Alex Stamos, chief technology officer at Artemis Internet Inc., an Internet-security company.

He said the biggest risk for users is if they use the stolen LinkedIn passwords for other sites. "If people have bad passwords, there's nothing you can do," he said.

Mr. Stamos said there is little reason to doubt a company's statement during a breach but that such incidents sometimes end up being worse than originally believed.

(Published by WSJ - June 10, 2012)