Social media site LinkedIn suffered a major security breach this week as over 6 million passwords were stolen. First, here’s a great quote from eWeek that explains why you need to pay attention to data breaches.
The compromise of a LinkedIn account has three important ramifications, opined Carl Leonard, senior manager of security researcher at Websense. “First, the key concern is the bad actors taking advantage of trust,” he said. “If you are ‘linked’ to a trusted colleague you are more likely to click on a malicious link sent from them, which may open the door to targeted attacks and confidential data theft.”
“Second, because many LinkedIn accounts are tied to other social media services, such as Facebook or Twitter, posts with malicious links can also be propagated to a larger audience,” Leonard said. “And lastly, many of us are creatures of habit and have the same password for multiple accounts. The consequences of a breached password could be extrapolated across email, social media, banking accounts, and mobile phone data.”
There are some valuable lessons to be learned from this catastrophe.
Don’t use dumb passwords.
The vast majority of the passwords revealed in the LinkedIn hack were, quite frankly, stupid. Such as:
plus all sorts of plain-text dictionary words like “administrator” and “computer”.
Do your passwords look like the ones on this list? Then change them! All of us should know better by now than to use easily-cracked passwords, and this is why. Here’s my article on How To Create Secure Passwords which may help.
Don’t share passwords across sites.
During the LinkedIn breach investigators found that many people used passwords containing the words “harmony” or “eharmony”. So it wasn’t a surprise when less than a day later, dating site eHarmony announced they, too, were hacked and 1.5 million passwords stolen.
There is a very easy way to avoid becoming a victim. USE DIFFERENT PASSWORDS FOR EVERY SITE. You think it’s a pain? Try identity theft.
Don’t click links in email.
One of the most braindead stupid moves LinkedIn made in this entire scenario – aside from not using proper security practices to secure our passwords – is that they’re planning to email affected users instructions on how to reset their passwords.
Except the surest way to get hacked is to click on malicious links in email. Email is easily forged and links are easy to redirect. How fast do you think fake password reset emails are going to make the rounds? Oh, wait, it’s already happening. From BBC News: LinkedIn users targeted in phishing scam after hack. Epic fail, LinkedIn. Way to teach people bad security practices and expose them to further risks.
LinkedIn users have been targeted by email scams after hackers leaked more than six million user passwords online. Emails designed to look like they were sent by the social-network website asked users to “confirm” their email address by clicking a link.
When a crisis occurs, timing is of the essence. In this case if you didn’t change your passwords immediately, it was probably too late. The hackers were rapidly cracking those passwords and trying to break into other sites like eHarmony.
The best way to stay on top of events like these is to follow IT security news. I regularly post important updates through social media sites as well as here on the Tech Tips blog.