June 7, 2012
Into each life, a little hacking must fall – it’s become a universal law of the Internet as of late.
As many now know, LinkedIn seems to have allowed about 6.5 million usernames and passwords slip, and they’re now becoming open information. That’s bad, but not the end of the world, and there are steps you can take to protect yourself.
First, here’s what appears to have happened. Somehow, a database of usernames (which for LinkedIn are email addresses) and passwords got into the wild. This was either an accidental breach or a direct theft, time will tell. While the passwords were obscured by a hashing technique, the tech used was notoriously easy to crack, and the bad guys have already begun doing so. Several hundred thousand have already been cracked, meaning that over time the rest will mostly become public.
It’s possible your username and password were discovered, but frankly I would advise against trying to find out or waiting to know for sure. If you have an account on LinkedIn, here is what you should do right now:
– Don’t panic. This was a great piece of advice for Arthur Dent in The Hitchhiker’s Guide to the Galaxy, and it applies just as well here. Yes, your account information may have been stolen from LinkedIn, but if you act quickly and sanely, you can ensure that the breach does not impact the rest of your online life.
– Change your LinkedIn password. Doing so is fast, easy and will fix the problem even if your password was not among those compromised. Open a web browser and go to the LinkedIn home page and log in. Then, in the upper-right corner of the page, click on your name and then on Settings from the mini-menu that drops down. Halfway down the settings page, look for “Account Settings” and click on it. Then click “Change your password,” put in your old and new passwords and you’re done.
– Change your password on any other site that you have used that same password and your email address to log in with. Since the data thieves can now get access to that username/password combination, they’ll try to use it on a wealth of other sites to see if they can get into your accounts across the web. So if you used that same email/password combo elsewhere, you should consider any site with that info to be compromised and change your info there as well.
Now, what to do about this for the future:
– DO NOT click on any link in any email saying that your LinkedIn account has been compromised and asking you to log in to change your password. The official emails LinkedIn will send out will *not* have links in them, they will ask you to manually go to the LinkedIn site and change your password there. There are already reports of phishing emails that are trying to use the fear of this breach to get non-compromised people to give up their login info, so be extra careful.
– Use unique passwords for sites. This gets difficult fast, so use a password manager like 1Password (or many others) that can auto-generate custom passwords and track them for you. This way, you remember the master password (which never leaves your desktop/laptop/phone) and the system handles filling in the unique passwords on the sites.
– Demand that social networks (and any other sites) use stronger security. These LinkedIn accounts were exposed because the data that was stolen was protected using a very weak form of hashing technology. LinkedIn could have used a stronger method, which wouldn’t have stopped the theft, but would have made it much more difficult for the thieves to use the data for anything.
Granted, a dedicated thief with time, equipment, and knowledge could eventually crack any set of data. However, if the thieves would have had to spend months un-encoding the passwords in order to use them, they may have decided it wasn’t worth the time and effort. It’s not a cure, but it is a preventative measure that could have, and should have, been put in place.
Once more, don’t panic. Take a minute or two today and change your passwords. Make sure you’re not using that same email/password combo elsewhere. Never click in links in email (go to the site manually via your browser instead). This advice works equally well for any website where you have user account info, and can keep you from losing your mind when breaches inevitably happen across the web.