Hackers have managed to access more than 6 million LinkedIn passwords, according to data posted online.
As reported by The Verge, a user in a Russian forum uploaded 6,458,020 hashed passwords. It's unclear if usernames were involved.
"Our team is currently looking into reports of stolen passwords. Stay tuned for more," LinkedIn tweeted earlier today. Later, it said that its team "continues to investigate, but at this time, we're still unable to confirm that any security breach has occurred."
As of March 2012, LinkedIn had about 161 million members, so the hack affects about 4 percent of the enterprise social network's users.
As The Verge pointed out, meanwhile, the passwords were stored as unsalted SHA-1 hashes, which means hackers will still have to do a little work to get at the actual passwords.
In a blog post, Sophos analyst Graham Cluley speculated that "hackers are [already] working together to crack them," and urged LinkedIn users to change their passwords immediately.
"Although the data which has been released so far does not include associated email addresses, it is reasonable to assume that such information may be in the hands of the criminals," Cluley continued.
Reports of the password hack came the same day that LinkedIn pledged to better secure its mobile calendar function. LinkedIn's calendar offering syncs with your device's calendar to serve up the LinkedIn profile of people you are about to meet.
To do that, certain information about your calendar events are sent to LinkedIn's servers. The company insisted that the data is "sent securely over SSL and we never share or store your calendar information," but recent reports about the process suggested that some users might not be comfortable with giving LinkedIn access to this data.
As a result, LinkedIn pledged to no longer collect information in the notes section of your calendar. The company will also place a "learn more" link with its calendar service with more information about how your data is used.
The updates are currently live on Android and should be rolled out to iOS "shortly," LinkedIn said.
A similar issue affected San Francisco-based startup Path earlier this year after a blogger discovered that the Path iPhone app was uploading users' entire address books, including full names, emails and phone numbers, without permission. Path later anonymized that data.
The problem was not limited just to Path, however, prompting companies like Instagram and Twitter to update or clarify their policies. Two members of Congress penned a letter to Apple asking the company for more information about iOS apps that access users' contact lists.
Update: In an afternoon blog post, LinkedIn said it was "still unable to confirm that any security breach has occurred." Out of caution, however, the company also urged users to change their passwords, and keep tabs on the situation on Twitter via @LinkedIn and @LinkedInNews.
Ars Technica, meanwhile, reported that a list of about 1.5 million passwords appears to include users of dating website eHarmony. "A statistically significant percentage of users regularly pick passcodes that identify the site hosting their account. At least 420 of the passwords in the smaller list contain the strings 'eharmony' or 'harmony,'" Ars said. EHarmony did not respond to a PCMag request for comment.
Update 2: LinkedIn this afternoon confirmed the hack.