LinkedIn and eHarmony confirm password data breach

Out-Law News | 07 Jun 2012 | 12:38 pm | 2 min. read

Business networking website LinkedIn and online dating site eHarmony have confirmed that some of their users' password details have been stolen and posted on the internet.

Nearly 6.5 million passwords associated with LinkedIn and approximately 1.5 million associated with eHarmony were posted on an online forum by hackers, according to media reports. Both companies have confirmed that they have been victims of a data security breach.

"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts," LinkedIn director Vicente Silveira said in a company blog. "We are continuing to investigate this situation."

"The security of our customers’ information is extremely important to us, and we do not take this situation lightly," Becky Teraoka, who works in corporate communications at eHarmony, said in a company blog.  "After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected."

Both Silveira and Teraoka said that the two organisations had invalidated the passwords of members whose data had been breached and that the companies would send out emails to those affected with instructions on how to reset the password.

Silveira added that LinkedIn has installed "enhanced security" features around its "current password databases", whilst Teraoka said similar "robust" measures, such as data encryption, were also in operation at eHarmony.

Security consultant Graham Cluley of IT security firm Sophos said that the hackers probably hold other details about LinkedIn users.

"Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals," he said in a blog.  "If you were using the same passwords on other websites - make sure to change them too. And never again use the same password on multiple websites."

LinkedIn, which has more than 150 million users, has also made changes to its mobile app after researchers claimed that LinkedIn was transmitting information users had entered on their mobile calendars without those users' consent.

Researchers Adi Sharabani and Yair Amit said that LinkedIn was "possibly" in breach of Apple's privacy terms, which require app providers to obtain users' prior permission in order to transmit data about them.

LinkedIn's app takes details from users' mobile calendars about meetings they are due to attend and synchronises it with details contained in LinkedIn about the people who users are due to meet with. Amit said that users may not wish sensitive material, such as meeting notes, to be synced in this way.

"We are concerned by the fact [LinkedIn's app] collects and sends-out sensitive information about its users, without a clear indication and consent," Amit said.

LinkedIn said its calendar feature is available on an 'opt in' basis but has made changes so that its app "will no longer send data from the meeting notes section of your calendar event," according to the company's mobile product head Joff Redburn.