Well first of all, there is no connection to LinkedIn other then the suspected 'hacker' saying it is from LinkedIn.
There are 6.5 Million unique passwords in the file! LinkedIn has approx 160 Million registrated members, this means approx 25 people share the same password on average. This could indeed be true.
But then it means the 'hacker' has posted the password list of -all- LinkedIn members. And still many people confirm their password is -not- on the list.
For 6.5 million unique LinkedIn password just to many people are denying their password is on the list.
What people at this stage are doing is identifying themselves with a hashed sha1 password file. But identifying yourself with a password is of no means reliable. Verifying yourself with a password is. But this means you would first have to tell your name, and afterwards a password comparison is done.
So whenever a match with your password is found on the list, this doesn't mean it's YOUR password. It just means someone or some bot ever printed out that same password. Maybe you should try googling your password. Chances are pretty big it will bring you at least one hit.
At this stage I don't know in what way the file is compiled. The only confirmation we can make at this point is that the file contains words that match a 'strong' password policy.
And let's not forget, the chances your 'strong' password is in a 6.5 Million unique password file are pretty big. And yet so many people confirm they are -not- on the list...
Please remember, you are NOT your password.
Do we really think LinkedIn uses SHA1? Haven't their security specialists heared of the HBGary and Rootkit.com hack? SHA1 + salt is even considered weak.
The passwords "WelcomeToLinkedIn" and "LeakedIn" are not on the list. Was there really nobody able to make up one of those?
Ok, seems like I'm wrong. LinkedIn just confired that at least a part of the hashes corresponds. It isn't a full confirm, but suggests one will come soon.
Those tweets confessed me: