A feared hack of the social networking site LinkedIn may be worse than previously feared, a security firm has said.
On Wednesday it was revealed up to 6.5m passwords had been leaked after a breach by hackers.
A user on a Russian forum claimed to have downloaded 6.46m encrypted passwords for the business-focused website.
LinkedIn confirmed that at least some of the leaks corresponded to LinkedIn accounts, and recommended its users changed their passwords.
But on Thursday Imperva Application Defence Centre said that many more than 6.5m passwords may have been leaked.
Imperva said the password list being passed around hacking forums was missing "easy" passwords which most people continue to use, such as "12345" and other sequential lists or common words.
It added that since passwords are only listed once on the file, it is likely many were used by multiple users and that the true number of compromised accounts is higher.
The security firm said LinkedIn's passwords weren't "properly protected", but admitted the main evidence that the hack targeting the social network specifically was just the prevalence of the word 'linkedin' in many passwords.
"LinkedIn was probably breached but the password database doesn't indicate this specifically," Imperva said. "Many of the passwords contained a high volume of the word, or a variation of the word, "linkedin".
"This indicates that the pool of passwords comes from LinkedIn, though the hacker hasn't specifically made such a connection.
LinkedIn has apologised but said it is continuing to investigate the hack.
"We sincerely apologise for the inconvenience this has caused our members. We take the security of our members very seriously." said Vincente Silveira on the company's blog.
Claus Villumsen, CTO of internet security company BullGuard told Huff Post UK on Wednesday hackers could use the passwords from LinkedIn to potentially log into email accounts which use the same password.
"Your password should always be treated like a toothbrush, never share it with anyone else and change it frequently. That's a good rule of thumb.
"The details at risk here in this case are emails, phone numbers and passwords. I'm pretty sure LinkedIn wouldn't store credit card information. What's worrying if using the same password you could potentially log in to anything else."