Unsurprisingly, there are no clues about who 'stole' the password hash file or how they did it, but LinkedIn confirmed that the password hashes were theirs.
The company first disabled accounts with passwords known to have been decoded, followed by those that were on the list regardless of whether they had been decoded. This process was completed by the end of July 7, the day after the matter came to light.
LinkedIn officials say affected members were emailed instructions for resetting their passwords.
"At this time, there have been no reports of compromised LinkedIn accounts as a result of this password theft," the officials stated, adding "We are continuing to work with law enforcement as they investigate this crime."
Page 2: Apology
Hashing (in this context) converts a password into a fixed length string. The idea is that it avoids the need to store the password itself on the system. If the process is not easily reversible, the assumption is that if someone does gain access to the hash, a lot of work must be done to find a password that corresponds to the hash.
However, the widely-used SHA-1 hash function is more easily overcome than originally thought, and large amounts of processing power are becoming more widely available. Thus the party that gained access to the LinkedIn hash file was able to compute passwords that correspond to the hash values.
Salting feeds random data as well as the password into the hashing process, making it impractical to generate tables of passwords that correspond to given hash values.
"We can confirm that all member passwords now are not only hashed, but also salted, to provide an additional layer of security," LinkedIn officials said.
"We are profoundly sorry for this incident. Member security is vitally important to us, and transparency is a priority as well. We will provide further updates as warranted by any new developments."