LinkedIn Password Breach Affects Millions
By Samuel Greengard
The security hits just keep on coming. On Wednesday, social media service LinkedIn confirmed reports that the service had been hacked and approximately 6.5 million user passwords had been stolen. "We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts," wrote LinkedIn director Vicente Silveira in a blog post.
Yet, remarkably, LinkedIn did not post a banner or alert on the site to warn its users. Presumably, they had to find out about the breach via the news media, colleagues or other sources.
Members with accounts affected by the breach will find that their passwords no longer work. LinkedIn has invalidated these passwords, and the company will send out instructions--without a link--on how to reset the passwords, Silveira noted. Those affected will also receive a second e-mail from the company's customer service department providing more information about the event—as well as about security best practices.
Aaron Higbee, CTO and co-founder of PhishMe, stated in a blog post on Wednesday that forcing those with compromised accounts to reset their passwords is the right approach. On the other hand, if LinkedIn had followed in the footsteps of Internet retailer Zappos and allowed users to log into accounts and reset passwords on their own, a full-fledged disaster could have ensued, he said.
Security firm ESET reports that the hack appears to have originated in Russia, and the passwords, posted on the Internet by the hacker as proof of the breach, appeared in the encrypted (secure hashed algorithm) SHA1 format that LinkedIn used for its database.
Particularly disturbing, notes Cameron Camp, security researcher at ESET, is the fact that "people put real professional information on the site. It's not just what party they plan on attending." Moreover, LinkedIn "has the aggregate effect of garnering a form of peer review on what you post about yourself … mess with somebody's professional profile and you're messing with their life," he adds.
The security breakdown is also troubling on another level. "This breach is significant because it shows that having a strong password, though important, is irrelevant if enterprises don't protect them properly," states Rob Rachwald, director of security strategy for Imperva. "Enterprises must be much more diligent about implementing a strong password architecture."
Rachwald recommends that LinkedIn users change their passwords immediately--particularly if the same password is used for other sites. He says it's also critical to be on the lookout for spam and phishing attempts involving LinkedIn. In fact, ESET discovered that one such scam was already in circulation by Wednesday afternoon. The email, claiming to be from LinkedIn, asks recipients to click on a link to confirm their email address.
More importantly, enterprises must use better security methods to protect passwords. LinkedIn claims that it has "just recently" adopted more stringent security procedures, including hashing and salting its user database.
Rachwald says that salting—which "randomly adds characters to a password so that even if a password database is breached, the correct password can't be accessed"—is an IT best practice that cannot be overlooked. "Salting, on top of encryption, makes it very hard for a hacker to deduce your password," he says.
Concludes ESET’s Camp: "Users have entrusted LinkedIn with keeping droves of sensitive data and presumed that it was taking commensurate steps to protect it. This worries some who feel that if LinkedIn can get hacked, who can be safe?