Over Six Million LinkedIn Passwords Stolen, Now What?
by Jean Westcott on June 8th, 2012
News was swirling around the Internet this morning about postings in a Russian forum indicating that over six million passwords had been obtained by an unauthorized user. After investigating, LinkedIn has confirmed in a blog post that it does believe that the passwords were compromised and that it was going to contact affected users with steps to protect their accounts.
LinkedIn Directer Vicente Silveira wrote:
“We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link.
These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.”
The blog post goes on to explain that the stolen password data was partially encrypted via “hashing.” Hashing is the practice of using an algorithm to alter values in a database by some known function. A programmer can then take the plain text of your password that is visible as readable text and apply a “hash.”
If the database is compromised, someone would need the key (the algorithm) to be able to translate the password back into plain text. LinkedIn said that this was the case with their database. Most security experts recommend applying a second algorithm to further encode the data stored in the password database; this is called “rehashing” or “salting.”
LinkedIn said passwords that were not compromised were being both hashed and salted and that new passwords would also be hashed and salted.
So what should you do?
Don’t wait to be notified
Change your LinkedIn password
Choose a secure password that you don’t use elsewhere
Never follow links in an email to change your password or to alter personal information such as Social Security number, email addresses, home addresses, phone numbers or bank/credit card account numbers
Watch your LinkedIn account for any strange activity
If you notice strange messages from LinkedIn connections, things that are out of character, treat those messages with a good dose of skepticism and contact your connections to alert them of strange activity via a method OTHER than LinkedIn
The companies you entrust with your data have a role as well. Organizations need to be trustworthy, proactive, honest and responsive. A determined hacker will always be able to break in just as a determined thief in the real world will always be able to break into a building or car. They need to not make it easy to get in, to make the information difficult to reuse, respond to any signs of a break in and then work hard to not only protect your accounts from damage but also to assure you that they will take even greater care of your accounts in the future.
LinkedIn messed up here by not using more aggressive encryption but if they can act swiftly, resolutely and earn back our trust by being open and honest, we can go on using their service to further our careers.