LinkedIn Corp’s silence on the extent of a security breach that exposed millions of user passwords has damaged its reputation among some business professionals, and may slow the growing company’s rise if the breach turns out to be more serious than disclosed.
Several days after news of the theft of the passwords emerged, the site with more than 160 million members still says it has yet to determine the full extent of the breach.
Some cyber security experts say LinkedIn did not have adequate protections in place, and warn that the company could uncover further data-losses over coming days as it tries to figure out what happened.
LinkedIn has hired outside forensics experts to assist as company engineers and theseek to determine how more than 6 million customer passwords turned up on underground sites frequented by criminal hackers.
Company spokesman Hani Durzy said to Reuters LinkedIn has invalidated the stolen passwords, even though it does not know if any other account information was stolen besides passwords.
The dearth of information has left some security professionals and customers worried that LinkedIn’s computer systems may have suffered a more serious breach.
“There is going to be more to come,” said Jeffrey Carr, chief executive of security firm Taia Global. “As long as they don’t know what happened here, there is a good chance that it is more widespread than originally thought.”
Customers whose passwords were among those stolen were still getting notified by LinkedIn as of Friday afternoon, days after news of the breach first surfaced.
Laura DiDio, a technology analyst with a consulting firm known as ITIC, said that was not fast enough.
“I am angry,” she said. “As soon as there was an inkling that there was a breach, they should have been all over this. I want to know what they are doing to correct this situation.”
Some security experts say the company’s data security practices were not as sophisticated as one would typically expect from a major Internet company.
For example, they noted that LinkedIn does not have a chief information officer or chief information security officer.