Thursday, 7 June 2012

LinkedIn Password Breach: Change Your Password Now

Yesterday we learnt a hacker posted 6.5 Million LinkedIn passwords onto a Russian forum. These passwords were weakly encrypted (that's an unsalted SHA-1 hash for the techies), which means the actual passwords can be recovered by the bad guys with very little technical ability.
Advice to LinkedIn Members
1. Change your LinkedIn Password Right Now
6.5 Million accounts may only be a portion of the total LinkedIn membership, and you may not consider your account as being affected because you have yet to receive a warning message from LinkedIn.  However in my view it is highly likely the bad guys will have ALL the LinkedIn account details and passwords for all LinkedIn users. So assume your account login (Email) and password is known by the bad guys, given this it is essential to change your LinkedIn password as soon as possible.

2. If your LinkedIn password is the same password you use on any other websites, Change Those Passwords
Most people use the same password on different websites simply because it is difficult to remember lots of different passwords on each website. The hackers know this and so target weaker protected websites like LinkedIn to obtain your username, email address and particularly your password. Then they try the same combinations to access higher protected and more valuable websites (money making opportunities for them) such as online banking, Email, Facebook, PayPal, Ebay etc.
The Problem with Website Passwords

3. Assume all your LinkedIn Personal Details as Compromised
If the hackers can obtain the password field within the database, it is safe to assume they will have harvested all the other unprotected fields in the database as well, which unfortunately will include a full profile of your personal information. LinkedIn aren't the the first website to neglect security and lose your personal information to hackers, and they won't be the last. So always be cautious of criminals trying to use your personal information against you, typically they try to make money from it.  This can manifest as identify theft or as an elaborately personalised phishing Email, always be suspicious and be cautious of non-face-to-face (Email/Phone) communications, and check your finical transaction statements for signs of foul play on a regular basis.