An explanation but no apology

Better late than never, I suppose. Four years after hackers plundered millions of LinkedIn  usernames and passwords, the company has decided to tell us what is going on, at last.

 

On Wednesday afternoon, users received an email titled “Important information about your LinkedIn account,” describing the massive 2012 hack and what the company is doing about it.

 

The short version of the email is something like this: “Yup, they hacked us all right. And, in case you haven’t changed your password since 2012, we’ve cancelled those older passwords. We’re working with law enforcement to protect you.”

LinkedIn also suggests users adopt some basic security hygiene:

While we do all we can, we always suggest that our members visit our Safety Center to learn about enabling two-step verification, and implementing strong passwords in order to keep their accounts as safe as possible. We recommend that you regularly change your LinkedIn password and if you use the same or similar passwords on other online services, we recommend you set new passwords on those accounts as well.

While the 2012 hack was widely publicized at the time, the reason news of it flared up again is because of reports last week that revealed the breach was much, much bigger than initially thought.

 

It turns out that the hack affected 117 million email and password combinations – not the 6.5 million reported in the past. Oh, and the whole batch of them are for sale on the so-called dark web.

 

In its email, LinkedIn claimed that it “became aware” last week that the data stolen in 2012 was being made available online. This seems a bit of stretch – the whole point of stealing data is typically to sell it online – but we’ll take them at their word. And, unlike so many other LinkedIn emails, this one is definitely useful.

 

Oddly, the email did not include any acknowledgement or apology for the dreadful security practices used by LinkedIn in the first place. These included poor cryptography, such as failing to “salt” the data, which made it easier for hackers to unscramble users’ passwords.

 

On the other hand, as security expert Troy Hunt reports in a definitive account of the recent news, the 2012 breach is not the fault of the company’s current leadership team, who are simply trying to clean up the mess left by their predecessors.

 

In addition to this article, this is a copy of what I received from LinkedIn earlier this week:

LinkedIn

Notice of Data Breach

You may have heard reports recently about a security issue involving LinkedIn. We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you.

What Happened?

On May 17, 2016, we became aware that data stolen fromLinkedIn in 2012 was being made available online. This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since that breach.

What Information Was Involved?

Member email addresses, hashed passwords, and LinkedInmember IDs (an internal identifier LinkedIn assigns to each member profile) from 2012.

What We Are Doing

We invalidated passwords of all LinkedIn accounts created prior to the 2012 breach that had not reset their passwords since that breach. In addition, we are using automated tools to attempt to identify and block any suspicious activity that might occur onLinkedIn accounts. We are also actively engaging with law enforcement authorities.

LinkedIn has taken significant steps to strengthen account security since 2012. For example, we now use salted hashes to store passwords and enable additional account security by offering our members the option to use two-step verification.

What You Can Do

We have several dedicated teams working diligently to ensure that the information members entrust to LinkedIn remains secure. While we do all we can, we always suggest that our members visit our Safety Center to learn about enabling two-step verification, and implementing strong passwords in order to keep their accounts as safe as possible. We recommend that you regularly change your LinkedIn password and if you use the same or similar passwords on other online services, we recommend you set new passwords on those accounts as well.

For More Information

If you have any questions, please feel free to contact our Trust & Safety team at tns-help@linkedin.com. To learn more visit our official blog.