Many of the hashes in the dump have five zeros as the first five characters of the hash. Graham wrote that some people "think that this means that the hacker has already cracked any passwords that have been zeroed out this way."
LinkedIn did not "salt" its hashes, which involves inserting random characters into the hash that make it more difficult for people trying a brute-force attack. The company said it is now salting hashes.
Security vendor Sophos said it determined there were 5.8 million unique hashes out of the 6.5 million released after duplicates were eliminated. Of those 5.8 million, some 3.5 million hashes or about 60 percent had been successfully brute forced, wrote Chester Wisniewski, senior security advisor.
Sophos compared the passwords used for LinkedIn with those used by the Conficker worm to spread through network drives. All but two of the simple passwords used by Conficker were also used by LinkedIn users, Wisniewski wrote.
LinkedIn uses a person's email address as part of its sign-in process, and it's not known if the hackers also have those addresses, which would make the breach even more severe since it would allow them to directly access a person's account. LinkedIn will have to release more information in order to restore the confidence of its users, said Cameron Camp, a security researcher with the security company ESET in San Diego.
"It will be very interesting to see in the next two to three days to see what LinkedIn says," Camp said.
Sign up for MIS Asia eNewsletters.