LinkedIn investigating reports of stolen passwords

Two hours later, the company posted a second tweet saying that it was still unable to confirm if a security breach had occurred.

While the passwords appear to be encrypted, security researcher Marcus Carey warned that users should not take solace from such security measures.

“If a website has been breached, it doesn’t matter what encryption they’re using because the attacker at that point controls a lot of the authentication,” said Carey, who works at security-risk assessment firm Rapid7. “It’s `game over’ once the site is compromised.”

He said that if the breach is confirmed, he expects LinkedIn to require users to change their passwords with the threat of locking them out of the site if they don’t. Full containment of a breach would only be possible if every single password is changed or users are disabled, he said.

Cluley also warned that LinkedIn users should be careful about malicious email generated around the incident. The fear is that people, after hearing about the incident, would be tricked into clicking on links in those emails. Instead of getting to the real LinkedIn site to change a password, it would go to a scammer, who can then collect the information and use it for criminal activities.

Shares of LinkedIn, which is based in Mountain View, California, fell 49 cents, or 0.5 percent, to $92.51 in U.S. afternoon trading Wednesday.

___

Follow Cassandra Vinograd on Twitter at http://twitter.com/CassVinograd

___

Online:

LinkedIn’s security tips: http://bit.ly/LabO9f

Copyright 2013 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.