Failing to take basic security precautions with website passwords puts your data at risk
Do you remember back in 2012 when LinkedIn was hacked? Around 6.5 million user passwords were posted on a Russian blog. There was a mandatory password reset for affected users, and LinkedIn released a statement advising people to enable two-step verification and use stronger passwords.
Four years later, and the passwords of 117 million accounts were compromised.
Worryingly, this came to light only when a hacker put them up for sale, offering data from 167 million accounts in total. If you haven’t changed your LinkedIn password since 2012, you could be at risk. Tech savvy is no protection, as evidenced by the fact that a hacker group used the LinkedIn password dump to hack Facebook CEO Mark Zuckerberg’s Twitter and Pinterest accounts.
Are you at risk?
The biggest risks here are for people who didn’t change their LinkedIn password after hearing about the 2012 breach and also made the mistake of reusing the same password for another account. Hackers will reuse the same email and password credentials elsewhere as they hunt out further details about you that could be used to steal your identity and turn a profit. You can dramatically reduce the risk simply by having a different password for every account.
It’s also a good idea to change your password when you hear about a data breach somewhere that you have an account, even if you aren’t contacted directly to do so. You can check if your account was compromised at https://haveibeenpwned.com/, where you’ll find a searchable database covering breaches at various websites, including LinkedIn.
Check if your account was compromised >
Dealing with data breaches
LinkedIn also could have, and arguably should have, taken better steps to deal with the breach in 2012. Allowing customers to choose weak passwords and making two-step verification authentication optional is sacrificing security for the sake of convenience. LinkedIn is by no means the only company to make this decision, fearing a loss of customers if security is too burdensome.
Another common facet of data breaches highlighted here is the fact that the victim is often unaware of how deep the breach is.
Smart criminals won’t publicize a data breach or come clean about its depth because they want time to exploit the data. In this case, LinkedIn clearly was unable to determine which accounts had been compromised. Remember this came to light only when a hacker put the details up for sale. Perhaps LinkedIn should have instituted a mandatory sitewide password change as a precaution.
Take precautions now
Obviously, LinkedIn has to accept a lot of blame here. Passwords were stored in SHA1 with no salting, according to Leaked Source, which means they weren’t as secure as they could have been.
Regardless of blame, it’s worth revisiting your security practices if you want to stay safe online. Leaked Source also published a list of the most commonly used passwords. The top entry was “123456,” which is used by 753,305 people, followed by “linkedin,” which is used by 172,523 people. If you choose a password like those, you have to know you’re making it easy for the bad guys.
If you haven’t done so already, change your LinkedIn password now. There’s a built-in color-coding system that will show you if your password is strong or not. You should also avoid reusing the same password on any other website. If you have reused your LinkedIn password elsewhere, change the password on that account, too. Since you’ll be using different, strong passwords on every account, it’s well worth considering a good password manager to help you keep track of them.
You could also turn on two-step verification so that you can keep track of different devices logging into your account. This system sends you a numeric code by text to your phone anytime an unrecognized device tries to sign in, so a criminal would need your password and your cell phone before being able to log into your account.
It may seem like a hassle, but it’s worth jumping through a few hoops to ensure your data are safe.
This article was recently published in NetworkWorld.