Last Updated on Thursday, 07 June 2012 19:23 Published on Thursday, 07 June 2012 19:23
LinkedIn users have been targeted by email scams after hackers leaked more than six million user passwords online. Emails designed to look like they were sent by the social-network website asked users to "confirm" their email address by clicking a link.
However, the link took unsuspecting recipients to a site selling counterfeit drugs. Dating website e-Harmony has also admitted that a "small fraction" of its users' passwords have been leaked.
Approximately 1.5 million passwords from the US-based relationship site were posted online, reported Ars Technica.
The company said on its blog that it had reset the passwords of the affected users, who would receive an email with instructions on how to set new passwords.
On Wednesday it was revealed that 6.4 million passwords from LinkedIn had been posted on a Russian web forum, along with a message encouraging other hackers to help decrypt the "hashed" data.
Affected LinkedIn users have been told they will receive instructions in an email - but not with a link - on how to change their details.
"Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid," said LinkedIn director Vicente Silveira, confirming that a breach had occurred.
He added: "These members will also receive an email from LinkedIn with instructions on how to reset their passwords.
"These affected members will receive a second email from our customer support team providing a bit more context on this situation and why they are being asked to change their passwords."
However, Ant Allen, from analyst firm Gartner, said LinkedIn must do more to inform their members about the situation.
"I'd really like to see a clearer statement from them on their front page," he told the BBC.
"A statement that they were taking steps to minimise the risks of passwords being exposed in the future and the risks to users if passwords were exposed would do a lot to reassure people. Simply saying, 'we need you to reset your password as a security precaution' is not enough."
Final tally 'higher'
Security analyst Imperva said it believed the breach was larger than had been acknowledged, as the list did not duplicate individual passwords, even though many were likely to have been used by more than one user.
"The list doesn't reveal how many times a password was used by the consumers," the company said.
"This means that a single entry in this list can be used by more than one person. For reference, in the [social network] RockYou hack the 5,000 most popular passwords were used by a share of 20% of the users. We believe that to be the case here as well, another indicator that the breach size exceeds 6.5m."
The password breach came just hours after the company admitted it had updated its mobile apps due to a privacy flaw.
In a blog post, Skycure Security said the the mobile app was sending unencrypted calendar entries to LinkedIn servers without users' knowledge.
In response LinkedIn said it would "no longer send data from the meeting notes section of your calendar". [bbc]