Welcome to The Fordyce Letter:

The Fordyce Letter

Straight Talk for the Recruiting Profession


Industry News

LinkedIn Describes Security Steps After Huge Password Breach


No comments

LinkedIn_logo

Yesterday, LinkedIn clarified efforts to contain the 6 million password breach that occurred last week. In an e-mail to the media the company summarized its work to secure the site.

While there didn’t seem to be any immediate danger to member accounts (and LinkedIn confirmed this), there was concern about how the breach occurred and how the company would respond to prevent future breaches.

According to the e-mail, by June 7th (a day after the breach) LinkedIn disabled the impacted user passwords. Customer service teams reached out to those users explaining how to reset their passwords. As of yesterday, there had been no compromised accounts. LinkedIn also made sure to say there has been no impact on sign up numbers or with people leaving the network.

LinkedIn also clarified that passwords are now both hashed and salted (previously, they had only been hashed). In case you think this turned into a conversation about breakfast food, Joe Basirico, director of security services for security innovation, explained the difference in a post last week:

What could LinkedIn have done to protect you from your own poor password choice? Well, they could have required a Password Policy, but everybody seems to hate those. They could have also added Salt. No, not that salt, this Salt.

In software we call a chunk of random data that we add to passwords “salt.” Since your password is so easily guessable it’s likely it already exists in somebody’s Rainbow table so the lookup would be really quick and easy. We want to make them work for it. So for each user I generate, say, 10 extra random characters to add to each password. This means I generate some random characters “7%bKeVm!fN” and add that to your password turning it into LvBieber7%bKeVm!fN. If I do this for every user the hacker has to generate a rainbow table for each user independently.

If you want to get into the specifics of the security measures, that post (and the thread on Reddit) is a great start.

LinkedIn didn’t reveal how the breach occurred or what measures are being taken to prevent a future breach. However, the company said it’s working with law enforcement and taking unspecified security measures.

Lance Haun is an editor at The Starr Conspiracy, a marketing agency focused on the enterprise HCM market. He spent three years as an editor at ERE Media and seven years in the recruiting and HR trenches before joining the agency. You can follow him on Twitter, circle him on Google+, check out his blog or contact him directly at lance@coug.rs.