Skip to main content

In this May 9, 2011 file photo, LinkedIn Corp., the professional networking Web site, displays its logo outside of headquarters in Mountain View, Calif. LinkedIn said Wednesday, June 6, 2012, it is investigating reports that more than six million passwords have been stolen and leaked onto the Internet.Paul Sakuma/The Associated Press

Social networking website LinkedIn Corp said it will provide an additional layer of online security to its members following last week's data breach, while adding that stolen passwords were not published with corresponding email logins.

Some cyber security experts had earlier said LinkedIn did not have adequate protections in place, and warned that the company could uncover further data-losses over coming days as it tries to find out what happened.

Late on Tuesday, the company said all member passwords were now "salted" -- a technique that greatly increases the time and computer power needed to crack an encrypted password.

The company, which has more than 160 million members on its site, said there had been no reports of accounts compromised by password theft.

Some security experts say the company's data security practices were not as sophisticated as one would typically expect from a major Internet company.

For example, they noted that LinkedIn does not have a chief information officer or chief information security officer.

Those are positions that typically supervise technology operations and computer security at large corporations.

Company spokeswoman Erin O'Hara said the company did not have managers with those titles, but that its senior vice president for operations, David Henke, oversees LinkedIn's security team.

LinkedIn has hired outside forensics experts to assist as company engineers and the FBI seek to determine how more than 6 million customer passwords turned up on underground sites frequented by criminal hackers.

Several experts said the company fell down in the way it encrypted, or scrambled, the passwords that were stored in the database.

Jeffrey Carr, chief executive of security firm Taia Global, said LinkedIn did not follow an industry standard for encryption.

There could be legal repercussions for that failure to comply with industry standards, said Gerald Ferguson, an attorney at Baker Hostetler who is an expert on privacy and intellectual property law.

He said that LinkedIn could face lawsuits if accounts had been breached since its terms of use say it employs the industry standard for security.

"If they can demonstrate that information hadn't been comprised, that would certainly give them a defense," Mr. Ferguson said.

Interact with The Globe