Blog

Back in 2012, Linked-in acknowledged a breach of hashed passwords and email addresses.  At the time they claimed only a small portion of their 100+ Million accounts were compromised and suggested that Linked In users change their password to protect their account.  They did not force a password change across all Linked-In user accounts… a decision they now undoubtedly regret.

In fact, all of their user accounts (117 Million+) were compromised.  Shamefully, they did not SALT their passwords, leaving identical passwords with identical hashes making password cracking trivially easy.

Implications:

Many users reused passwords across email accounts, various websites, and even VPN accounts; this is a very bad practice.  As such, you should consider these other accounts may have been compromised.  Many of you (myself included) have received strange emails from friends and family trying to sell me Viagra or containing random strange website links. These are indications of a compromised email account.  Now we know one potential source of those compromised email accounts:  Linked-In.

What should I do?

Step #1:  Change your Linked-In Password! Anyone still using their 2012 Linked in password needs to immediately login and change their password.  Linked-In has finally done what they should have done in the beginning – notified ALL account holders, expired their passwords so users have to change their password upon next login, and informed users of the compromise and to consider where else users had used the same username/password combination so as to update and change those locations too.

Step #2: Invest in a Password Manager. The time to invest in a password manager is more important than ever before.  Password Managers are free for personal use.  They enable you to use long and complex passwords (I recommend 16 to 20 character passwords) for every online web property you log into.  This is a critical step that limits your exposure when one company is breached… all the other web properties are still intact because you haven’t reused the same password at those sites!

Step #3: Start changing your Shared Passwords! Now that you have as password manager, don’t stop there.  Most Password managers have a feature that lists accounts sharing the same password.  It’s time to start changing your bad habits and update those accounts to unique passwords.  Over time you will fix your password hygiene with fresh and complex unique passwords on all of your online accounts!

Step #4: Register your Public Email address for notifications.  If you register your public email address at the site https://haveibeenpwned.com/ they will notify you if your email is included in any of the large-scale publicly disclosed breaches such as the Linked In breach or the Adobe, Ashley Madison, and Mate1.com  breaches.  This is a convenient feature to alert you when the vendor themselves fail to do so.

Sophos video on Picking Proper Passwords:  https://youtu.be/pMPhBEoVulQ

Highly Recommended Password Managers: 

LastPass: http://www.lastpass.com

Advantages: enterprise support and the separation of work from personal passwords.

Disadvantages: user interface is slightly less intuitive than DashLane.

DashLane: http://www.dashlane.com

Advantages: Most intuitive inferface with excellent import and security audit features to inform you of your bad password practices with some automation built in to correct those accounts.

Disadvantage: no ability to separate work from personal passwords making it unsuitable for work or enterprise environments.

Source: Craig Taylor, Chief Security Officer; Neoscope, Portsmouth, NH