Fake emails from LinkedIn circulate after password breach

Criminals have already started taking advantage of millions of stolen LinkedIn passwords that were uncovered today. Spoofed emails are being sent to LinkedIn users, phishing for personal information and redirecting traffic to Viagra-selling websites.

This morning 6.5 million passwords were apparently leaked from the business social network. The passwords were hashed, not plain text, and uploaded to a Russian website this morning. Researchers quickly looked into whether the passwords were legitimate, and LinkedIn later confirmed they were. The company released a blog post saying, “we can confirm that some of the passwords that were compromised correspond to LinkedIn accounts.”

Any LinkedIn user who has not yet changed their password should do so immediately.

But be careful not to do so through an email prompt. Eset security researcher Cameron Camp explained in a blog post today that a number of LinkedIn users have been receiving emails from the social network asking them to confirm account information. Camp has found these to be false emails, spoofed by cyber criminals to look like legitimate notifications from LinkedIn. Indeed, the first link in one of these spoofed emails will take you to a website selling Viagra.

These types of spoofed emails are unique to today’s incident, but there’s a chance that criminals could take this opportunity to attempt to phish personal information out of unsuspecting LinkedIn users.

hat tip The New York Times; Phishing image via Shutterstock