Lessons Learned From The LinkedIn Password Hack

Social media site LinkedIn suffered a major security breach this week as over 6 million passwords were stolen. First, here’s a great quote from eWeek that explains why you need to pay attention to data breaches.

The compromise of a LinkedIn account has three important ramifications, opined Carl Leonard, senior manager of security researcher at Websense. “First, the key concern is the bad actors taking advantage of trust,” he said. “If you are ‘linked’ to a trusted colleague you are more likely to click on a malicious link sent from them, which may open the door to targeted attacks and confidential data theft.”

“Second, because many LinkedIn accounts are tied to other social media services, such as Facebook or Twitter, posts with malicious links can also be propagated to a larger audience,” Leonard said. “And lastly, many of us are creatures of habit and have the same password for multiple accounts. The consequences of a breached password could be extrapolated across email, social media, banking accounts, and mobile phone data.”

There are some valuable lessons to be learned from this catastrophe.

Don’t use dumb passwords.
The vast majority of the passwords revealed in the LinkedIn hack were, quite frankly, stupid. Such as:

linkedin
linkedinpassword
password1
password123
p455w0rd
1234567

plus all sorts of plain-text dictionary words like “administrator” and “computer”.

Do your passwords look like the ones on this list? Then change them! All of us should know better by now than to use easily-cracked passwords, and this is why. Here’s my article on How To Create Secure Passwords which may help.

Don’t share passwords across sites.
During the LinkedIn breach investigators found that many people used passwords containing the words “harmony” or “eharmony”. So it wasn’t a surprise when less than a day later, dating site eHarmony announced they, too, were hacked and 1.5 million passwords stolen.

There is a very easy way to avoid becoming a victim. USE DIFFERENT PASSWORDS FOR EVERY SITE. You think it’s a pain? Try identity theft.

Don’t click links in email.
One of the most braindead stupid moves LinkedIn made in this entire scenario – aside from not using proper security practices to secure our passwords – is that they’re planning to email affected users instructions on how to reset their passwords.

Except the surest way to get hacked is to click on malicious links in email. Email is easily forged and links are easy to redirect. How fast do you think fake password reset emails are going to make the rounds? Oh, wait, it’s already happening. From BBC News: LinkedIn users targeted in phishing scam after hack. Epic fail, LinkedIn. Way to teach people bad security practices and expose them to further risks.

LinkedIn users have been targeted by email scams after hackers leaked more than six million user passwords online. Emails designed to look like they were sent by the social-network website asked users to “confirm” their email address by clicking a link.

Do pay attention to security news.

When a crisis occurs, timing is of the essence. In this case if you didn’t change your passwords immediately, it was probably too late. The hackers were rapidly cracking those passwords and trying to break into other sites like eHarmony.

The best way to stay on top of events like these is to follow IT security news. I regularly post important updates through social media sites as well as here on the Tech Tips blog.

2 thoughts on “Lessons Learned From The LinkedIn Password Hack

  1. Triona is correct that repetitive use of the same or obvious simple passwords is hazardous to your security. Practically, with the number of passwords the typical user now has, they need a password security “vault” program to hold and automatically insert their site-specific password when they visit a site to login. I like the free program Billeo, which works with IE and Firefox, but not chrome. I tried Robo, but in my opinion it is a resource hog and it wants to intertwine itself in more system/operations and processes than I like, although an advantage of Robo is that it could be used on my iphone. Not being able to use it with the iphone is another disadvantage of Billeo. Is there a good password vault security program that works with IE, Firefox, Chrome and the iphone, so a single password vault can be used across platforms? If so, does it allow for easy import of existing password vault data?

    Like

    1. Keith, KeePass is one that is supported on a lot of platforms including Windows Phone, Blackberry, iPad/iPhone, Android as well as Windows and Mac. 1Password is another option. You’ll have to test the importing, in my experience that’s the biggest stumbling block depending on the format of the import. Hope this helps!

      Like

Leave a Reply to Keith Collins Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s