A hacker has posted 6.5 million encrypted passwords from LinkedIn on the internet.
Sophos researchers have confirmed that the file posted on a Russian web forum contains LinkedIn passwords.
Hackers are working together to decrypt them.
Although the data released so far does not include associated e-mail addresses, it is reasonable to assume such information could be in the hands of the criminals, Sophos said.
It is believed the data is encrypted using SHA-1. In 2010 a hacker proved it was possible to crack an SHA-1 encrypted file in 45 minutes.
However, on the Naked Security blog, Sophos researcher Paul Ducklin noted that to crack a relatively small number of real-world passwords would cost nearly $2,000 of Amazon EC2 compute time.
So should LinkedIn users be worried? "It would seem sensible to suggest to all LinkedIn users that they change their passwords as soon as possible as a precautionary step," said Graham Cluley, senior technology consultant at Sophos.
"Of course, make sure the password you use is unique – in other words, not used on any other websites – and that it is hard to crack.
"If you were using the same passwords on other websites - make sure to change them too.
"And never again use the same password on multiple websites."
