(MSNBC) -- While LinkedIn stated Wednesday morning via its Twitter account that it's been unable to confirm reports that 6.5 million user passwords have been exposed, Sophos security firm reports that the files posted on a Russian hacker site do contain LinkedIn passwords.
"Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals," writes Graham Cluley. "Investigations by Sophos researchers have confirmed that the file does contain, at least in part, LinkedIn passwords."
All LinkedIn members should take precautionary measures and change their passwords immediately, the Sophos senior technology consultant advises, and provided the following instructions:
- Log into LinkedIn.
- You should see your name in the top right hand corner of the webpage. Click on it, and you will open a drop-down menu. Choose "Settings".
- Choose the option to change your password.
- After entering your old password, you will have to enter your new (hopefully unique and hard-to-crack password) twice.
Take the extra precaution of changing your Facebook password as well, especially if your LinkedIn and Facebook accounts are connected. Further, if your LinkedIn password is the same one you use for any other accounts, change those as well -- hackers will often try out a password on several accounts, since so many people are in the (bad) habit of using just one.
News of the possible
LinkedIn password leak comes less than 24 hours after mobile security
researchers revealed that the LinkedIn mobile app is able to access subscriber
"The app doesn't only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes," writes Skycure Security researcher Adi Sharabani on the company's blog. "If you have decided to opt-in to this calendar feature in iPhone, LinkedIn will automatically receive your calendar entries and will continue doing so every-time you open your LinkedIn app."
In a blog post responding to the mobile app flap, LinkedIn mobile product head Joff Redfern emphasizes that user information used to sync the calendar app "is sent securely over SSL and we never share or store your calendar information" and that LinkedIn does not "under any circumstances access your calendar data unless you have explicitly opted in to sync your calendar."
In response to the Skycure Security findings, Redfern added that LinkedIn "will improve" the following: