Earlier today it emerged that a large database of 6.5 million passwords belonging to users of the popular professional network, LinkedIn, was leaked onto the Internet.  I was first made aware of the issue early this morning by Per Thorsheim (@thorsheim), a Norwegian security professional who specialises in password security. Once the news broke on Twitter a number of people I know checked the database and confirmed that their passwords were in the file indicating that this indeed was a genuine leak.

For most of the day there was little or no communication from LinkedIn regarding the suspected breach. Many people were left to speculate was the database real or was it simply a hoax? Another question being asked was how old is the database?  Was it leaked recently or a few months ago?

Late this evening LinkedIn issued a statement confirming the breach and they are still investigating the issue.  They also outlined the following steps for those users with compromised account;

  1. Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
  2. These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email.
  3. These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.

For those of you responsible for the security of your organisation’s systems I would encourage you to communicate the above messages to your users but to also reinforce them with;

  • Alert all your users to the breach and if tell them if they use LinkedIn to change their passwords. As we have not yet been informed by LinkedIn of the root cause for the breach it is possible any new passwords could be compromised again. However, it is a good proactive step for users to take.  Instructions on how to change your LinkedIn password are available here http://help.linkedin.com/app/answers/detail/a_id/2873
  • If they use the same password for LinkedIn on other websites, networks or indeed your own corporate systems tell them to change the password on those systems too.
  • Some websites will promise tools to allow people to check if their password is in the compromised database. Tell users not to use these services as they have no way of validating if the authors of such tools are legitimate or are simply using it to gather passwords.
  • Remind them that if they receive emails that look like they come from LinkedIn they should not click on any links within that email.  LinkedIn have stated “There will not be any links” in any of their official emails.  It is good security practise anyway to remind users not to blindly click on links.  Below is an example of such an email sent to me earlier today, note the fake sender email address and also how a lower case “L” is used in the url to replace the I for “LinkedIn”

 As with all security breaches, even when the breach is not in your own organisation, there are lessons that can we can learn. Here are some key points I have taken from this breach;

    • Communicate regularly and clearly with the key stakeholders during a breach. Lack of communication means people are left wondering if you are aware of the issue, understand what is going on and are dealing with it.  It also allows those affected to make informed decisions on the impact the breach may have on them.
    • Let people know what actions you have taken and what you plan to do. For example, have you contacted law enforcement? Have you contacted any relevant regulatory bodies? (see my note below regarding the Irish Data Protection Commissioner)
    • What measures are you putting in place to contain the breach? What steps, if any, do users need to take?
    • Make people aware how they can contact you for more information or to alert you of a potential security breach. One of the issues many had today was not knowing who in LinkedIn to contact to make them aware of the issue.
    • Regularly monitor the Internet as an early warning mechanism to alert you to a potential breach. If you see conversations on social media sites about your organisation, or keywords related to your organisation, then this could be an early indication you suffered, or will suffer, a breach.
    • You should also monitor text and file sharing sites for items relating to your organisation, again as possible early indicators of a breach.  Xavier Mertens has a great tool called Pastemon.pl on his blog for monitoring Pastebin for such a purpose.
    • Ensure your developers understand how to securely manage passwords in their applications. Refer them to the Owasp projects guide,  the SANS Institute’s Top 25 Most Dangerous Software Errors and to the SafeCode initiative.
    • Make sure your developers know how to keep a password database secure, here is a good overview from Javvad Malik on why you need to hash your password database.

Please accept preferences, statistics, marketing cookies to watch this video.

There will no doubt be further ramifications from this breach over the coming days.  The Sophos NakedSecuirty Blog says that 60% of the passwords leaked have already been revealed, over the coming hours and days the remaining passwords will no doubt suffer the same fate.

Another issue that LinkedIn will need to consider is what will their interaction be with the Irish Data Protection Commissioner’s office?  The Data Protection Commissioner has published its Data Breach Code of Practise and as LinkedIn has its European Headquarters based here in Dublin the code can apply to them.  However, note the code is not mandatory for organisations to follow.  It will be interesting to see what happens in that regard and whether or not the Data Protection Commissioner will investigate the breach.

Hopefully, LinkedIn will update us soon on this issue (at time of writing there was no further update from them) and answer some key questions;

  • How old is the database that was leaked onto the Internet?
  • Was that the complete list of compromised passwords or were more compromised? If so how big is the compromise?
  • How did the password database get leaked and what has been done to prevent it from happening again?
  • Have only the passwords been compromised or is there a corresponding list of accounts that has also been compromised? If so will those users be alerted?
  • Were the attackers targeting any specific users within LinkedIn and if so what type of users were targeted?

Finally, the old saying it never rains but it pours rings true today for LinkedIn as earlier today news broke of a privacy breach relating to the LinkedIn App for the iPad and iPhone platforms.

More resources

    • For those of you looking for more technical details into the passwords themselves, there is an excellent blog on the issue here
    • BH Consulting’s free whitepaper on developing your incident response capabilities is available here.
    • A white paper “Ten Steps for Early Incident Detection” I developed in conjunction with Tripwire Inc is available to download here.  There are also links to a webinar I gave on the same topic.
    • Neira Jones, Head of Payment Security at Barclaycard, has an excellent post on “The Social Media Side of Incident Response
    • Finally, I talk to Javvad Malik at Infosecurity on how to deal with a security incident.

Please accept preferences, statistics, marketing cookies to watch this video.

 

About the Author: admin

Let’s Talk

Please leave your contact details and a member of our team will be in touch shortly.

Name*