Home Industry Listed Tech LinkedIn clams up, on the back foot over security breach

Following the password breach announced earlier today, LinkedIn seems to have pulled the shutters down, refusing to elaborate on what went wrong.

Announced overnight, LinkedIn's small hacking problem has escalated wildly. Latest reportssuggest that at least 60% of the breached accounts passwords have already been cracked.

iTWire strongly recommends everyone log into LinkedIn and change their password. And those readers silly enough to reuse the password at sites which know the same email address should also change the password there (to something different!).

Sophos agrees with this sentiment.

With this breach clearly in mind, this afternoon iTWire approached LinkedIn for their thoughts on the breach. In response, we were told:

"We aren't participating in interviews at this time. However, we will continue to keep you in the loop regarding updates via the LinkedIn blog."

Goodness, all we wanted to know was what this meant for LinkedIn's subscribers.

For want of an answer, these are the questions we'd hoped to have answered (please excuse the 'chatty' language).

1. What led LinkedIn to detect the breach? Did you find out yourselves? Were you told? Did someone find the password dump and report to you guys?

2. Who has received the notification email? How confident are you that it has gone to all affected members? (I don't seem to be affected, I didn't receive any email and earlier today was able to log in and changed my password)

Note - at least 2 iTWire staffers found their LinkedIn account had been disabled and did NOT receve an email.

3. According to Vincente's blog (linked above) he refers to "enhanced security we just recently put in place." Does "recently" refer to before or after the breach was detected, as I would have expected the kinds of things he outlined would have been regarded as Security 101 topics... not an upgrade of existing security.

4. What is the background to confirming that "some of the passwords that were compromised correspond to LinkedIn accounts?" Is Vincente suggesting there is garbage in the list, that there is no matching LinkedIn account for a good number of the passwords? Also, if, as you are saying that only passwords are leaked, how are you linking them back to accounts? Is it a simple match-up of password hashes?

The remainder of our questions (and some analysis) are on the next page.

5. Has anyone analysed the login activity of those accounts that appear to have been breached for login attempts (whether successful or not) from IP address not previously used? Presumably there will be account access attempts for multiple accounts from a very small number of IP addresses. In addition, I would have thought that those members affected would like to know what data was read by any potential intruders.

6. How was the data obtained? It would seem that 6 million out of 140 million is a strange amount. Neither all of the database nor an amount that could be manually harvested. Was this an insider job? A genuine across-the-web hack? Something else?

All important to those affected and to most Internet users.

To this, we repeat the response (mentioned earlier) from LinkedIn's Australian representative, "We aren't participating in interviews at this time. However, we will continue to keep you in the loop regarding updates via the LinkedIn blog."

This is simply not good enough. Not remotely good enough, especially for a publicly listed company.

Allow us to observe that organisations that are open about such problems tend to engender public support. Those that duck the issue seem to be taking the first step on a downward spiral to destruction.

And in the highly volatile social networking world (and the publicly-listed company world), confidence is everything.

BTW... for those intrepid souls who seek the stolen passwords; they're not on PasteBin (this time!). Also, if you trust it enough, there's a site (http://leakedin.org/) that will compare your password against the stolen list (of course, readers are welcome to randomly try password jackpot!).

Oh, and one other thing... will actively-trading LinkedIn shareholders treat this as a good thing, or a bad thing?


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?


David Heath

joomla statistics

David Heath has over 25 years experience in the IT industry, specializing particularly in customer support, security and computer networking. Heath has worked previously as head of IT for The Television Shopping Network, as the network and desktop manager for Armstrong Jones (a major funds management organization) and has consulted into various Australian federal government agencies (including the Department of Immigration and the Australian Bureau of Criminal Intelligence). He has also served on various state, national and international committees for Novell Users International; he was also the organising chairman for the 1994 Novell Users' Conference in Brisbane. Heath is currently employed as an Instructional Designer, building technical training courses for industrial process control systems.






Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities