Questions for LinkedIn
-
Approximately 6,000,000 password hashes have been released. How many users are you notifying?
-
When did you begin to use salted hashes for password storage, and how were/are users phased into the new scheme?
-
From your most recent blog post, it seems possible that not all accounts are using the newest scheme. How many password storage mechanisms are currently in use?
-
Why was unsalted SHA-1 selected for your prior scheme? Were there architectural constraints that led you to trade security off against convenience or performance?
-
What precisely is the current password storage method? Upon what basis was it selected (especially if it is not bcrypt, scrypt, or PBKDF2)?
-
What information other than the hashes, was exposed in this incident?
-
Are you confident the extent of the breach (assuming it was from the outside) has been determined?
-
What was the root cause of the exposure (eg., SQL injection)?
-
From various comments, it seems the hashes may be from passwords a few months old. Can you confirm this, and provide an estimated age for the exposed hashes?
-
When were the hashes obtained? Were they obtained from a live system some time in the past, or were older hashes (eg., from a system backup) obtained recently?
-
When, and via what means, did LinkedIn become aware of this exposure?
-
What follow-up actions, beyond user account locking and notification, are being taken?