I’ve been reading the flurry of posts, blogs, tweets and offhanded comments regarding LinkedIn’s recent data breach. I’m calling it a data breach here, not a password hash breach, because at this point, I don’t think anyone knows the extent of damage, or the full breadth of what data may have been taken.
Overheard in conversations, both in person and online, are comments “I don’t care about LinkedIn, I don’t need to change my password” and “they’re just hashes, only a few passwords were posted.” To those of you with this attitude, I think you’re missing the bigger picture.
I’d like to clear up a few things and share three reasons I think you’ll care about this LinkedIn breach.
Before we jump in, I’ll share my opinion about this breach in general.
I think quite a bit of what LinkedIn has shared is ambiguous, at best. I’m okay with that for now, because I think their involvement with law enforcement agencies and the fact they’re still in the discovery stage, prevents them from sharing much. They don’t know everything yet, and what they may know, is probably not in their best interest to share.
As security professionals, we can certainly find cause to criticize LinkedIn for how they’ve handled this, but I’ll leave that to others. I’m sure there’s a copious amount of critical articles out there. For now, I think they’re doing an acceptable (but not exceptional) job.
LinkedIn has locked the accounts and sent notifications to some of the affected users. Strangely, we can’t seem to establish any pattern in the notifications, and the verbiage LinkedIn has used in describing what it deems vulnerable is very vague.
Even if you didn’t receive the “Dear user” letter, some of your online accounts may be at risk.
Three reasons you care about the breach.
For those of you that don’t think a breach of your LinkedIn password matters, here’s why you should care.
1. Someone may have full access to your account.
We don’t know if the thieves stole additional data or not. It’s perfectly possible they have the full list of email addresses to go along with the password hashes. It’s also extremely likely they have more than the 6.5 million hashes they have released so far.
2. Even in hash form, your password is vulnerable.
Hashes of passwords are vulnerable and unsalted hashes (what was leaked from LinkedIn) are extremely vulnerable. See more on this below. LinkedIn has posted that its database now uses salted and hashed passwords. It appears this measure to increase password confidentiality was implemented prior to the notification of the breach, but after the breach itself. Meaning, the passwords are much more secured now, and as long as they are new passwords, or weren’t captured in the leak, they’re pretty safe now.
A NOTE on correcting colleagues on LinkedIn salting and hashes. I’d like to note there are some articles out there with misinformation as to the salting and hashing methods.
3. That password is a key to another door.
About 75% of users re-use passwords across multiple sites. Read the article here or the original findings (PDF). Meaning, if someone did steal the email addresses along with the hashes, they can very easily find other sites, or doors to which your password will be the key.
If you’re not sure what to do next, read my recommendation for dealing with the breach at LinkedIn: Don’t just change your password, do this.