While Facebook’s stock languishes, shares of the world’s most popular social network for professionals, LinkedIn, have been treated far more kindly. With a forward price-to-earnings ratio of approximately 75, investors are betting that LinkedIn’s future is bright.

But the company may be in for a rough patch as word broke today that some 6.5m passwords have been stolen from the social network.

The good news: the passwords are hashed, meaning that hackers can’t actually log into compromised accounts. The bad news: the passwords are unsalted, meaning those in possession of the hashed passwords will likely have a far easier time cracking them.

According to Graham Cluley, a senior technology consultant at security vendor Sophos, the compromised passwords are apparently hashed using the SHA-1 algorithm, which researchers have shown to be subject to attack. If hackers are able to crack the passwords and they have the associated email addresses — something that Cluley suggests is reasonable to assume — LinkedIn could have a real problem on its hands.

The timing couldn’t be worse for LinkedIn. Yesterday, two security researchers announced that LinkedIn’s iOS application is sending calendar entries for the users of the app to its servers in plaintext. They explained:

LinkedIn’s mobile application has an interesting feature that allows users to view their iOS calendars within the app. However, it turns out that LinkedIn have decided to send detailed calendar entries of users to their servers. The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes. If you have decided to opt-in to this calendar feature in iPhone, LinkedIn will automatically receive your calendar entries and will continue doing so every-time you open your LinkedIn app.

The researchers, Adi Sharabania and Yair Amit, suggest that LinkedIn technically doesn’t need to submit all of this data to its servers to provide calendar synchronization functionality, and point out that in any case, LinkedIn’s approach may run afoul of Apple’s privacy guidelines, which forbid apps from transmitting user data without the user’s permission.

Both the app issue and the apparent password compromise highlight a disturbing fact: even the biggest and best web companies are still making huge mistakes that have significant security implications for their users. In the case of the iOS app, LinkedIn may not have been acting with poor intent (a la, perhaps, Path), but that doesn’t mean that its poor approach didn’t put users at risk. And in the case of the password breach, the fact that LinkedIn didn’t follow a long-established best practice (salting passwords) is quite surprising.

Both flaws serve as a strong reminder to users of online services: you should trust that the companies you engage with want to do the right things, but you can never assume that they’re actually doing the right things.