LinkedIn did not "salt" its hashes, which involves inserting random characters into the hash that make it more difficult for people trying a brute-force attack. The company said it is now .

Security vendor Sophos said it determined there were 5.8 million unique hashes out of the 6.5 million released after duplicates were eliminated. Of those 5.8 million, some 3.5 million hashes or about 60 percent had been successfully brute forced, Chester Wisniewski, senior security advisor.

Sophos compared the passwords used for LinkedIn with those used by the Conficker worm to spread through network drives. All but two of the simple passwords used by Conficker were also used by LinkedIn users, Wisniewski wrote.

LinkedIn uses a person's email address as part of its sign-in process, and it's not known if the hackers also have those addresses, which would make the breach even more severe since it would allow them to directly access a person's account. LinkedIn will have to release more information in order to restore the confidence of its users, said Cameron Camp, a security researcher with the security company ESET in San Diego.

"It will be very interesting to see in the next two to three days to see what LinkedIn says," Camp said.