Professional networking website LinkedIn has run into a pair of thorny privacy issues, after reports emerged that millions of account credentials had been leaked, while researchers also accused its iPhone app of secretly snagging users' data.
Hackers Steal More Than 6.5 Million Passwords
Around 6.5 million encrypted LinkedIn passwords were recently posted to a Russian hacker site, according to Norwegian website Dagens. Many of those hacked passwords have now been decrypted.
After the news broke, LinkedIn posted on Twitter that it was investigating the reports of stolen passwords. Later, LinkedIn confirmed via a blog post that "some of the passwords that were compromised correspond to LinkedIn accounts."
The number of LinkedIn passwords compromised in a recent data breach could be far higher than the 6.5 million initially reported, according to Imperva. The security firm claims that even though only around 6.5 million encrypted passwords have been posted online, it's likely the unknown hacker has far more data.
"We believe the size of the breach is much bigger than the 6.5M accounts," wrote Imperva researcher Rob Rachwald in a blog post. "Most likely, the hacker has figured out the easy passwords and needs help with less common ones, so the hacker only published the more complicated ones. Most likely, many of the passwords haven't been revealed."
Imperva also highlighted the fact that the common nature of the passwords as evidence that the damage done during the hack could be worse than first thought.
"The list doesn't reveal how many times a password was used by the consumers. This means that a single entry in this list can be used by more than one person," wrote Rachwald.
iOS App Leaks User Info
Meanwhile, a pair of researchers with Israeli firm Skycure revealed details of a data-sharing issue with LinkedIn's iOS app.
Yair Amit and his colleague Adi Sharabani found the app sent users' calendar information to the company's servers, without warning.
The problem affects users that enable the feature which allows them to view their iOS calendar within the app.
“The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes,” the researchers wrote in a blog post.
The researchers said they informed LinkedIn about the potential risk of obtaining user details without permission, but the issue had not yet been fixed.
The mobile app feature had been intended to provide a better calendar service for its users, LinkedIn's mobile product manager Joff Redfern wrote in a company blog.
“We do not store any calendar information on our servers.” he said. “We do not share or use your calendar data for purposes other than matching it with relevant LinkedIn profiles.”
LinkedIn has promised to update its app, removing the capability for calendar note information to be uploaded to its servers.