[BreachExchange] Finally! LinkedIn Comes Clean About Mass Data Breach
Audrey McNeil
audrey at riskbasedsecurity.com
Fri May 27 14:29:47 EDT 2016
http://fortune.com/2016/05/26/linkedin-security-email/
Better late than never, I suppose. Four years after hackers plundered
millions of LinkedIn LNKD -0.83% usernames and passwords, the company has
decided to tell us what is going on, at last.
On Wednesday afternoon, users received an email titled “Important
information about your LinkedIn account,” describing the massive 2012 hack
and what the company is doing about it.
The short version of the email is something like this: “Yup, they hacked us
all right. And, in case you haven’t changed your password since 2012, we’ve
cancelled those older passwords. We’re working with law enforcement to
protect you.”
LinkedIn also suggests users adopt some basic security hygiene:
"While we do all we can, we always suggest that our members visit our
Safety Center to learn about enabling two-step verification, and
implementing strong passwords in order to keep their accounts as safe as
possible. We recommend that you regularly change your LinkedIn password and
if you use the same or similar passwords on other online services, we
recommend you set new passwords on those accounts as well."
While the 2012 hack was widely publicized at the time, the reason news of
it flared up again is because of reports last week that revealed the breach
was much, much bigger than initially thought.
It turns out that the hack affected 117 million email and password
combinations—not the 6.5 million reported in the past. Oh, and the whole
batch of them are for sale on the so-called dark web.
In its email, LinkedIn claimed that it “became aware” last week that the
data stolen in 2012 was being made available online. This seems a bit of
stretch—the whole point of stealing data is typically to sell it online—but
we’ll take them at their word. And, unlike so many other LinkedIn emails,
this one is definitely useful.
Oddly, the email did not include any acknowledgement or apology for the
dreadful security practices used by LinkedIn in the first place. These
included poor cryptography, such as failing to “salt” the data, which made
it easier for hackers to unscramble users’ passwords.
On the other hand, as security expert Troy Hunt reports in a definitive
account of the recent news, the 2012 breach is not the fault of the
company’s current leadership team, who are simply trying to clean up the
mess left by their predecessors.
You can check this site to see if your email is one of those that got
stolen in the LinkedIn hack here (mine was). And, for goodness sake, stop
using silly passwords like 12345, LinkedIn, or password.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160527/14ced1f0/attachment.html>
More information about the BreachExchange
mailing list