It’s been a tough morning for the professional network LinkedIn when it comes to security. A hacker has stolen and published around 6.5 million hashed passwords from the company, following security revelations regarding the way LinkedIn’s mobile app handles your calendar data.
A Russian hacker uploaded the hashed passwords (meaning they’re protected and not just plain text) to a forum this morning, requesting help to get them deciphyered. Several security researchers say the leak is likely legitimate, including researcher Per Thorsheim.
Update: LinkedIn has confirmed that some passwords were compromised.
The big takeaway for now: change your LinkedIn password ASAP. If your password is decently sophisticated, the hackers likely won’t be able to unencrypt it, but as always it’s better to be safe about these things. It’s also unclear if the hackers got hold of LinkedIn usernames, which would make it easier for them get into accounts.
Earlier this morning, the Next Web reported that LinkedIn’s calendar feature in its mobile apps transmits data back to the company. LinkedIn shot back with a response quickly, saying that the feature is completely opt-in (though it’s a bit unclear what gets transmitted when you agree to it), and the data is sent over a secure SSL connection (TNW claimed the information was sent over unsecured plain text).
According to LinkedIn’s mobile app head Joff Redfern:
In order to provide our calendar service to those who choose to use it, we need to send information about your calendar events to our servers so we can match people with LinkedIn profiles. That information is sent securely over SSL and we never share or store your calendar information.
In an effort to make that algorithm for matching people with profiles increasingly smarter we pull the complete calendar event, including email addresses of people you are meeting with, meeting subject, location and meeting notes.
To make amends, Redfern says that LinkedIn will no longer collect information stored in the “Meeting Notes” portion of your calendar entries. The company has already updated its Android app, and Redfern says that it has submitted a change to Apple for its iOS app.
We’ve covered extensively how many mobile apps used to take advantage of your address book data, including Path and Instagram (most of which have been updated by now). Considering that the LinkedIn calendar feature was initially opt-in and gathered data that wasn’t very sensitive, I don’t think it was as big of a security risk as other apps to make headlines.
Design is determining the winners in everything mobile. The most successful players are focusing on one thing: How to make products, services, and devices as compelling and delightful as possible – visually, and experientially. MobileBeat 2012, July 10-11 in San Francisco , is assembling the most elite minds to debate how UI/UX is transforming every aspect of the mobile economy, and where the opportunities lie. Register here.