LinkedIn summarizes password theft and member security efforts
Mountain View, Calif. -- June 12, 2012 -- Since LinkedIn became aware on the morning of June 6 of the theft of approximately 6.5 million passwords, we have communicated to our members and the media regularly through various channels, including the company blog, email, social media, and the LinkedIn homepage.
To ensure a broad and accurate awareness of the company’s actions and to give the public a general update, LinkedIn is providing the following summary of information that we have made public about the password theft and our subsequent investigation and response. This alert consolidates key points made in previous communications from the company. At this time, LinkedIn cannot release any further information in order to protect our members and due to the ongoing investigation:
Member Commitment and Response
- First and foremost, LinkedIn takes all matters relating to our members’ privacy and security seriously.
- We have been working around the clock since learning last Wednesday that a possible theft of passwords had occurred.
- As soon as we learned of the theft, we launched an investigation to confirm that the stolen passwords were, in fact, LinkedIn member passwords.
- The stolen passwords were not published with corresponding email logins.
- Once we were able to make this determination, we immediately began to address the risk to our members, prioritized as follows:
- Based on our investigation, those members whom we believed were at risk, and whose decoded passwords already had been published, had their passwords quickly disabled and were sent an email by our customer service team.
- By the end of Thursday, June 7, all passwords on the published list that we believed created risk for our members, based on our investigation, had been disabled. This is true, regardless of whether or not the passwords were decoded. After we disabled the passwords, we contacted members with instructions on how to reset their passwords.
- At this time, there have been no reports of compromised LinkedIn accounts as a result of this password theft.
- We are continuing to work with law enforcement as they investigate this crime.
- The health of our network, as measured by member growth and engagement, remains as strong as it was prior to the incident.
- LinkedIn’s technology team includes world-class security experts. This team includes Ganesh Krishnan, the company’s security czar, who previously served as vice president and Chief Information Security Officer at Yahoo! Inc. He and the entire security function at LinkedIn reports to Senior Vice President of Operations David Henke. Some corporate governance experts recommend that corporations officially name Chief Information Officers and Chief Information Security Officers. LinkedIn historically has limited C-level titles only to its Chief Executive Officer and Chief Financial Officer, so while Krishnan does not formally have the title of Chief Information Security Officer, that is the role he has played at the company since his hiring in 2010.
- The LinkedIn technology team has completed a long-planned transition from a password database system that hashed passwords, i.e. provided one layer of encoding, to a system that both hashes and salts the passwords, i.e. provides an extra layer of protection.
- For security reasons, we cannot discuss certain details of our ongoing security upgrades.
- We can confirm that all member passwords now are not only hashed, but also salted, to provide an additional layer of security.
- We will continue to investigate this criminal activity, and as we continue to upgrade security measures, we will keep our members updated.
- We are compliant with SEC regulatory filing obligations.
- In addition, we have been providing ongoing disclosures and updates to our members and to the public through postings on our corporate blog and now through this media alert.
We are profoundly sorry for this incident. Member security is vitally important to us, and transparency is a priority as well. We will provide further updates as warranted by any new developments.
Founded in 2003, LinkedIn connects the world’s professionals to make them more productive and successful. With more than 175 million members worldwide, including executives from every Fortune 500 company, LinkedIn is the world’s largest professional network on the Internet. The company has a diversified business model with revenues coming from member subscriptions, marketing solutions and hiring solutions. Headquartered in Silicon Valley, LinkedIn has offices across the globe.