LinkedIn's response to password breach raises troubling questions

LinkedIn's response to password breach raises troubling questions

Summary: LinkedIn's latest blog post raises more questions than it answers. And does the company have the leadership it needs to respond effectively?

SHARE:
TOPICS: Security
9

LinkedIn has taken to its company blog to explain what it is doing to mitigate a data breach that led to 6.46 million account passwords leaking online.

It's believed the passwords were hashed but measures were not taken to bolster the algorithm's security --- a process known as 'salting'.

The company could have foreseen a security issue. Perhaps if LinkedIn had a chief information officer (CIO), or a chief information security officer (CISO), it may have done?

"We don't currently have executives with those specific titles, but Kevin Scott, senior vice president, engineering, and David Henke, senior vice president, operations, oversee the functions," a LinkedIn spokesperson told InfoRiskToday's Eric Chabrow.

Chabrow notes Scott's and Henke's resumes are "impressive" and appear "well-versed." They have to be. Henke is listed as being responsible for "production operations, IT, data systems, and security."

But there appears to be no person at the top of the chain of command who is leading the risk management or information security strategy.

The 'professional' social network said a lot of things in its company blog post, but crucially left out vital details. As one of my colleagues put it, the blog post itself is "bizarrely" written.

Between the lines, one at a time:

"Yesterday we learned that approximately 6.5 million hashed LinkedIn passwords were posted on a hacker site. Most of the passwords on the list appear to remain hashed and hard to decode, but unfortunately a small subset of the hashed passwords was decoded and published."

From almost the word go, more than 300,000 passwords had been cracked. Most of these were weak --- "password" and "123456" among others.

As CNET's Elinor Mills explains, the passwords were not stored in plain text, but were "hashed". In LinkedIn's case, SHA-1 was used to hash the passwords. But SHA-1 requires 'salt' to boost security, and 'unsalted' passwords can be cracked with relative ease using look-up tables or brute-force tools.

Security firm Sophos later said the leaked cache listed 5.8 million unique passwords with 3.5 million already cracked. This means more than 60 percent of the passwords had been decrypted.

This is far more than a "small subset". In fact, it's a majority. Why LinkedIn omitted this important fact evades me.

Next up:

"To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member’s account as a result of this event."

LinkedIn is not quelling fears that user accounts may have been stolen. Just because they haven't been published doesn't mean they aren't sitting on someone's hard drive somewhere. Also, LinkedIn has failed to explain how the passwords were stolen in the first place. Granted, we're still in the early days, and law enforcement is investigating which may take time.

The wording of "verified" strikes me as odd. LinkedIn says it has not received any "verified reports" of third-party access to accounts. Does this mean there have been unverified reports? Anyway, who's "verifying" such reports? Is LinkedIn searching Twitter for complaints from known users, or is it actively monitoring who is logging in in a bid to detect suspicious login activity?

Should users complain of unauthorised access to the company, this would indicate a verified report, one would at least hope. Then again, if email addresses and passwords were kept separately or if only passwords were stolen, it would significantly reduce the chance of third-party account access.

If only a list of passwords were taken with no corresponding email addresses, it's just a list of passwords. It's like writing every single four-digit number combination from 0000 and 9999 on a website, and claiming they have your credit card PIN number.

The last bit raised an eyebrow:

"Finally, our current production database for account passwords is salted as well as hashed, which provides an additional layer of security."

While this is good news, "when" this happened remains unclear. On Wednesday, in LinkedIn's first post on the subject, Vicente Silveira explained this happened "recently." However it does not indicate whether the change was applied last month, this week, or yesterday.

LinkedIn was not available for comment at the time of writing.

Image credit: CNET.

Related:

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • +1

    Keep following this story. Linkedin's response is a throwback to the days when companies would deny data breaches rather than come clean. The exploit is a black mark against linkedin. In and of itself, may companies face these issues and I can give them a pass. However, their woefully inadequate followup causes me to seriously consider using their website altogether.
    Your Non Advocate
    • I don't use social networking, but if I did...

      They seem to be saying that they don't really HAVE people solely responsible for security, and their processes are half-assed. I can't imagine why they would admit that.

      I'm not sure which is worse: Saying you don't take security seriously, or saying you don't have a problem but it's the users fault.
      pishaw
  • Zack did good work with this issue

    For now LinkedIn "professional network" was proven to be unprofessional.
    DDERSSS
  • "What's in a name?"

    "[i]chief information officer (CIO), or a chief information security officer (CISO), it may have done?[/i]"

    We have a saying here in the U.S., "Too many Chiefs, not enough Indians."

    Any large business has someone whose duties specifically include being in charge of "risk management". Most companies don't specifically segregate "information" or "information security" because it starts getting ridiculous. Are they also going to appoint a "Chief Copier Safety Officer", "Chief Hallway Safety Officer", etc?

    Once you get some real [b][i]business[/i][/b] experience you'll start understanding corporate management structures.
    Rick_R
  • Account cancelled

    No more "networking" sites for me....
    12312332123
  • Mmmmm....

    Salted hash!
    Joe_Raby
  • I, For what it may be worth, closed my account

    This is the first time a security issue has raised a concern for me. Consequently, I have deemed it necessary to close my account and have nothing more to do with LinkedIn. I never even got any communication from them.
    Ashtonian
  • Cannot change LinkedIn password with their instructions!

    LinkedIn's instructions for resetting passwords does not work and just refers the user back to their emailed instructions. Additionally, they appear to have eliminated all security by asking the user to log in with their email address and click "Sign In, no password necessary"!

    LinkedIn is either too lazy or too stupid to assign temporary passwords and email them to the affected users.
    generenner
  • linkedin security breach

    Nothing is secure on the internet, so: 1) change passwords regularly and frequently 2) be careful WHAT you put online 3) as soon as you hear of a security breach..change your password. 4) Don't quit using a good service, help them catch the perpetrators. Message to Linkedin..."Get your members involved in catching hackers!" I don't know how to do this but I'm sure you can use all of combined wisdom to come up with a great idea. Let's do a PBL exercise together.
    dm5hats139