Home Industry Listed Tech LinkedIn clams up, on the back foot over security breach

LinkedIn clams up, on the back foot over security breach

Following the password breach announced earlier today, LinkedIn seems to have pulled the shutters down, refusing to elaborate on what went wrong.

Announced overnight, LinkedIn's small hacking problem has escalated wildly. Latest reportssuggest that at least 60% of the breached accounts passwords have already been cracked.

iTWire strongly recommends everyone log into LinkedIn and change their password. And those readers silly enough to reuse the password at sites which know the same email address should also change the password there (to something different!).

Sophos agrees with this sentiment.

With this breach clearly in mind, this afternoon iTWire approached LinkedIn for their thoughts on the breach. In response, we were told:

"We aren't participating in interviews at this time. However, we will continue to keep you in the loop regarding updates via the LinkedIn blog."

Goodness, all we wanted to know was what this meant for LinkedIn's subscribers.

For want of an answer, these are the questions we'd hoped to have answered (please excuse the 'chatty' language).

1. What led LinkedIn to detect the breach? Did you find out yourselves? Were you told? Did someone find the password dump and report to you guys?

2. Who has received the notification email? How confident are you that it has gone to all affected members? (I don't seem to be affected, I didn't receive any email and earlier today was able to log in and changed my password)

Note - at least 2 iTWire staffers found their LinkedIn account had been disabled and did NOT receve an email.

3. According to Vincente's blog (linked above) he refers to "enhanced security we just recently put in place." Does "recently" refer to before or after the breach was detected, as I would have expected the kinds of things he outlined would have been regarded as Security 101 topics... not an upgrade of existing security.

4. What is the background to confirming that "some of the passwords that were compromised correspond to LinkedIn accounts?" Is Vincente suggesting there is garbage in the list, that there is no matching LinkedIn account for a good number of the passwords? Also, if, as you are saying that only passwords are leaked, how are you linking them back to accounts? Is it a simple match-up of password hashes?

The remainder of our questions (and some analysis) are on the next page.

5. Has anyone analysed the login activity of those accounts that appear to have been breached for login attempts (whether successful or not) from IP address not previously used? Presumably there will be account access attempts for multiple accounts from a very small number of IP addresses. In addition, I would have thought that those members affected would like to know what data was read by any potential intruders.

6. How was the data obtained? It would seem that 6 million out of 140 million is a strange amount. Neither all of the database nor an amount that could be manually harvested. Was this an insider job? A genuine across-the-web hack? Something else?

All important to those affected and to most Internet users.

To this, we repeat the response (mentioned earlier) from LinkedIn's Australian representative, "We aren't participating in interviews at this time. However, we will continue to keep you in the loop regarding updates via the LinkedIn blog."

This is simply not good enough. Not remotely good enough, especially for a publicly listed company.

Allow us to observe that organisations that are open about such problems tend to engender public support. Those that duck the issue seem to be taking the first step on a downward spiral to destruction.

And in the highly volatile social networking world (and the publicly-listed company world), confidence is everything.

BTW... for those intrepid souls who seek the stolen passwords; they're not on PasteBin (this time!). Also, if you trust it enough, there's a site (http://leakedin.org/) that will compare your password against the stolen list (of course, readers are welcome to randomly try password jackpot!).

Oh, and one other thing... will actively-trading LinkedIn shareholders treat this as a good thing, or a bad thing?


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service