LinkedIn Hack Compromises 6.5 Million Passwords
Is Your LinkedIn Password Safe?
It goes without saying (or does it?) that it is very important to have secure passwords online and to not use the same password for multiple sites! Now’s your chance. Get your internet security life together before it gets the best of you. If you’ve been working hard to promote your business on social media channels, the last thing you need is to lose control of those channels and sit by helplessly watching a hacker target all your quickly-dwindling connections with spam for the latest medical treatment. Am I right or am I right? And all the more tragic if you were counting on a password like “password” or “123456″ to protect you from email to banking to social media.
So let me borrow the first line of the official release from LinkedIn corporate, quoted below. “By now, many of you have read recent headlines reporting that 6.5 million LinkedIn hashed passwords were stolen and published on an unauthorized website.” Time to update passwords, folks. one of my favorite free browser password tools is LastPass. The idea is you let it take all the stored passwords OUT of your browsers (Firefox, Chrome, Safari, etc) and store them in an encrypted system for you. It even auto-logs you in to most websites. Handy. And secure. What that means is if you get Malware on your computer, it can’t suck the stored passwords out of your computer. One more thing: bad password = bigdog or 555000. Good password = B1gDz3roG#.
So here’s the scoop from LinkedIn:
By now, many of you have read recent headlines reporting that 6.5 million LinkedIn hashed passwords were stolen and published on an unauthorized website. We take this criminal activity very seriously so we are working closely with the FBI as they aggressively pursue the perpetrators of this crime. As you may have heard, there have been reports of other websites that have suffered similar thefts. We want to be as transparent as possible while at the same time preserving the security of our members without jeopardizing the ongoing investigation. In this post, we want to address questions we’ve been receiving and share what we’ve learned so far about the incident, how we’ve responded, and what we’re doing to protect our members going forward.
First, it’s important to know that compromised passwords were not published with corresponding email logins. At the time they were initially published, the vast majority of those passwords remained hashed, i.e. encoded, but unfortunately a subset of the passwords was decoded. Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords. The only information published was the passwords themselves.
Here are the most common questions we are being asked by our members:
1. Am I at risk of having my account breached? Thus far, we have no reports of member accounts being breached as a result of the stolen passwords. Based on our investigation, all member passwords that we believe to be at risk have been disabled.
2. News of the theft broke on Wednesday. Why didn’t I immediately receive notification that my password was disabled? As soon as we learned of the theft, we launched an investigation to confirm that the passwords were LinkedIn member passwords. Once confirmed, we immediately began to address the risk to our members, prioritized as follows:
- Based on our investigation, those members whom we believed were at risk, and whose decoded passwords already had been published, had their passwords quickly disabled and were sent an email by the Customer Service team.
- By the end of Thursday, all passwords on the published list that we believed created risk for our members, based on our investigation, had been disabled. This is true, regardless of whether or not the passwords were decoded. After we disabled the passwords, we contacted members with instructions on how to reset their passwords.
3. What is LinkedIn doing to protect its members?
We have built a world-class security team here at LinkedIn including experts such as Ganesh Krishnan, formerly vice president and chief information security officer at Yahoo!, who joined us in 2010. This team reports directly to LinkedIn’s senior vice president of operations, David Henke.
Under this team’s leadership, one of our major initiatives was the transition from a password database system that hashed passwords, i.e. provided one layer of encoding, to a system that both hashed and salted the passwords, i.e. provided an extra layer of protection that is a widely recognized best practice within the industry. That transition was completed prior to news of the password theft breaking on Wednesday. We continue to execute on our security roadmap, and we’ll be releasing additional enhancements to better protect our members.
4. My password has not been disabled, what should I do now? If your password has not been disabled, based on our investigation, we do not believe your account is at risk.
However, it is good practice to change your passwords on any website you log into every few months. For that reason, we have provided information to all of our members via the LinkedIn Blog, as well as a banner on our homepage instructing members on how to change their passwords.
Once again, we truly apologize for any inconvenience this has caused you, our members.
So then, get on it and get those passwords “adjusted”. You will be very glad that you did it!
To Your Success!
Eric Bryant