Yesterday, LinkedIn clarified efforts to contain the 6 million password breach that occurred last week. In an e-mail to the media the company summarized its work to secure the site.
While there didn’t seem to be any immediate danger to member accounts (and LinkedIn confirmed this), there was concern about how the breach occurred and how the company would respond to prevent future breaches.
According to the e-mail, by June 7th (a day after the breach) LinkedIn disabled the impacted user passwords. Customer service teams reached out to those users explaining how to reset their passwords. As of yesterday, there had been no compromised accounts. LinkedIn also made sure to say there has been no impact on sign up numbers or with people leaving the network.
LinkedIn also clarified that passwords are now both hashed and salted (previously, they had only been hashed). In case you think this turned into a conversation about breakfast food, Joe Basirico, director of security services for security innovation, explained the difference in a post last week:
What could LinkedIn have done to protect you from your own poor password choice? Well, they could have required a Password Policy, but everybody seems to hate those. They could have also added Salt. No, not that salt, this Salt.
In software we call a chunk of random data that we add to passwords “salt.” Since your password is so easily guessable it’s likely it already exists in somebody’s Rainbow table so the lookup would be really quick and easy. We want to make them work for it. So for each user I generate, say, 10 extra random characters to add to each password. This means I generate some random characters “7%bKeVm!fN” and add that to your password turning it into LvBieber7%bKeVm!fN. If I do this for every user the hacker has to generate a rainbow table for each user independently.
If you want to get into the specifics of the security measures, that post (and the thread on Reddit) is a great start.
LinkedIn didn’t reveal how the breach occurred or what measures are being taken to prevent a future breach. However, the company said it’s working with law enforcement and taking unspecified security measures.