Lax Security Caused LinkedIn Security Breach

LinkedIn exposed 6.5 million customers to hackers last week, prompting speculation on the lousy security system in place at the social networking site. The stock price dipped slightly (US$92) on Thursday, but bounced back on Friday ($95), surging to $97 yesterday and eventually settling down to $94.29. The Thursday slump was due to Facebook’s stock price woes, and reportedly not connected to news of the password hack.

LinkedIn hacked, 6.5 million user passwords and personal data stolen

LinkedIn hacked, 6.5 million user passwords and personal data stolen. (Image: LinkedIn, overlay by Nick)

But LinkedIn’s reputation among its 150 million users may be indelibly marred. The site gives professionals a medium to connect, interact and search for jobs or opportunities. Users like myself put in a lot of personal data in our profiles, including home addresses, work experience and job history. I immediately changed my password after learning of the breach, but LinkedIn sources say they disabled all hacked passwords and notified affected users.

Goutama Bachtiar wrote an excellent piece on connecting with people you trust on LinkedIn. The networking site might have had an inkling of a potential breach but didn’t act on it.  LinkedIn did not have a chief information officer (CIO) nor a chief information security officer (CSIO), so no one was responsible for IT security. The professional networking site was caught with its pants down, but then again, all big companies are ripe targets for hackers.

The company is working with US Federal Bureau of Investigation (FBI) on tracking down the culprits. Vicente Silveira, LinkedIn Director, expressed his apologies on his blog and explained the actions his company has taken in light of the breach.

Our first priority was to lock down and protect the accounts associated with the decoded passwords that we believed were at the greatest risk. We’ve invalidated those passwords and contacted those members with a message that lets them know how to reset their passwords. Going forward, as a precautionary measure, we are disabling the passwords of any other members that we believe could potentially be affected. Those members are also being contacted by LinkedIn with instructions on how to reset their passwords.

Silveira also said they “salted” the password database by adding more layers of technical protection. Salting adds random characters, either at the beginning or the end of the already scrambled password. Users who do not get the email from LinkedIn should change their passwords anyway, just in case. Here are a few things to keep in mind when changing your passwords:

  • Use a combination of capital and lowercase letters, plus numbers and symbols, but don’t use “P@ssword123”.
  • Don’t use names of your pet, child, spouse or any personally-identifiable monikers in combination with birthdays or anniversaries.
  • Don’t reuse your old passwords or just jumble the numbers around the letters (123P@ssword or P@ss123word).
  • If you know you won’t remember your password down the road, keep it in a safe place, under an unassuming file name. Don’t label it “LinkedIn PW” and save it in your Documents folder.
  • Use different passwords for every account. Setting just one password means once someone gets hold of your pw, they can open your Facebook, Twitter or any other account you hold.
  • Invest in a password protection software or a password generator app.