The breached list shows that LinkedIn did not use best practices in protecting the passwords, he said. The hashes that were used to mask the real passwords were so-called unsalted SHA-1 hashes. SHA-1 is a hashing algorithm that is used to protect passwords. Because SHA-1 isn't foolproof, security experts have for some time recommended that organizations use a technique called "salting" to make passwords harder to crack. With salting, an application applies a random string of characters to a password before it is hashed. The process ensures that even if two passwords are identical, their hashes will be unique.

In an apparent response to the focus on the unsalted hashing issue, Silveira noted that LinkedIn recently added enhanced security measures for salting and hashing its password databases. Silveira's post does not indicate when LinkedIn began the practice.

The compromise is a big deal for LinkedIn users, said John Pescatore, an analyst with Gartner. "LinkedIn definitely had to have some kind of serious security incident for this to happen. And they probably had lax security policies or controls for a simple unsalted hash file like this to exist," he said.

One worrisome aspect of the breach is that it could enable more targeted phishing attacks, he said. "LinkedIn is a great research site for hackers creating targeted phishing attacks to go after system administrators, CFOs, etc." he said. "If they had access to the non-public parts of people's LinkedIn profiles we will see even better targeted phishing attacks."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at or subscribe to . His e-mail address is .