1. Approximately 6,000,000 password hashes have been released. How many users are you notifying?

  2. When did you begin to use salted hashes for password storage, and how were/are users phased into the new scheme?

  3.  From your most recent blog post, it seems possible that not all accounts are using the newest scheme. How many password storage mechanisms are currently in use?

  4. Why was unsalted SHA-1 selected for your prior scheme? Were there architectural constraints that led you to trade security off against convenience or performance?

  5. What precisely is the current password storage method? Upon what basis was it selected (especially if it is not bcrypt, scrypt, or PBKDF2)?

  6. What information other than the hashes, was exposed in this incident?

  7. Are you confident the extent of the breach (assuming it was from the outside) has been determined?

  8. What was the root cause of the exposure (eg., SQL injection)?

  9. From various comments, it seems the hashes may be from passwords a few months old. Can you confirm this, and provide an estimated age for the exposed hashes?

  10. When were the hashes obtained?  Were they obtained from a live system some time in the past, or were older hashes (eg., from a system backup) obtained recently?

  11. When, and via what means, did LinkedIn become aware of this exposure?

  12. What follow-up actions, beyond user account locking and notification, are being taken?