Stolen LinkedIn passwords 'genuine' says Sophos, LinkedIn confirms data breach (NEW UPDATES)

Hacked "6.4 million" list is real. LinkedIn confirms some are for its accounts. eHarmony also hit.

Sophos has told Computing that it believes LinkedIn has suffered a major hack and data breach, involving 6.4 million or more user passwords.

The anti-virus software vendor said that a list of hash-tagged passwords that has been published on a cracking forum is genuine.

Other passwords are thought to be from dating service eHarmony, according to a Reuters report.

"Hackers posted an humungous file – of many megabytes – containing six million-plus hashes, so the passwords are encrypted, but they're not salted, which means it's possible to work against them and crack them fairly easily," Sophos senior technology consultant Graham Cluley told Computing.

Using unsalted sha1 hashes is generally thought to be bad practice and has led security firm Imperva to say that LinkedIn did not properly safeguard its users' login data.

The Imperva report also says that it believes the hacked details may represent many more people than first thought, as common passwords – such as "123456" – are not included on the file.

"The data that's been released doesn't include the associated email addresses, but I think we have to assume those are in the hands of the criminals as well," said Sophos' Cluley.

There is no guarantee that stolen passwords are limited to the 6.4 million on the list, he added. Theoretically, many more users could be affected, as the same passwords are likely to be shared by a lot of people.

"There's obviously many more LinkedIn users than that, but that's the size of the data we've seen so far," said Cluley. The business network has an estimated 161 million members in total.

Sophos has recommended that users change their LinkedIn passwords immediately, as well as any duplicate passwords for other sites and services.

• LinkedIn has posted a statement on its blog confirming that some of the compromised passwords do correspond to LinkedIn accounts.

LinkedIn has disabled access to those accounts and is emailing members with instructions of how to reset their passwords. "There will not be any links in this mail", it said.

The company has advised concerned users to follow the company on Twitter: @LinkedIn, @LinkedInNews and on its blog: blog.linkedin.com.

Additional reporting Chris Middleton.