LinkedIn's response to password breach raises troubling questions
LinkedIn has taken to its company blog to explain what it is doing to mitigate a data breach that led to 6.46 million account passwords leaking online.
It's believed the passwords were hashed but measures were not taken to bolster the algorithm's security --- a process known as 'salting'.
The company could have foreseen a security issue. Perhaps if LinkedIn had a chief information officer (CIO), or a chief information security officer (CISO), it may have done?
"We don't currently have executives with those specific titles, but Kevin Scott, senior vice president, engineering, and David Henke, senior vice president, operations, oversee the functions," a LinkedIn spokesperson told InfoRiskToday's Eric Chabrow.
Chabrow notes Scott's and Henke's resumes are "impressive" and appear "well-versed." They have to be. Henke is listed as being responsible for "production operations, IT, data systems, and security."
But there appears to be no person at the top of the chain of command who is leading the risk management or information security strategy.
The 'professional' social network said a lot of things in its company blog post, but crucially left out vital details. As one of my colleagues put it, the blog post itself is "bizarrely" written.
Between the lines, one at a time:
"Yesterday we learned that approximately 6.5 million hashed LinkedIn passwords were posted on a hacker site. Most of the passwords on the list appear to remain hashed and hard to decode, but unfortunately a small subset of the hashed passwords was decoded and published."
From almost the word go, more than 300,000 passwords had been cracked. Most of these were weak --- "password" and "123456" among others.
As CNET's Elinor Mills explains, the passwords were not stored in plain text, but were "hashed". In LinkedIn's case, SHA-1 was used to hash the passwords. But SHA-1 requires 'salt' to boost security, and 'unsalted' passwords can be cracked with relative ease using look-up tables or brute-force tools.
Security firm Sophos later said the leaked cache listed 5.8 million unique passwords with 3.5 million already cracked. This means more than 60 percent of the passwords had been decrypted.
This is far more than a "small subset". In fact, it's a majority. Why LinkedIn omitted this important fact evades me.
Next up:
"To the best of our knowledge, no email logins associated with the passwords have been published, nor have we received any verified reports of unauthorized access to any member’s account as a result of this event."
LinkedIn is not quelling fears that user accounts may have been stolen. Just because they haven't been published doesn't mean they aren't sitting on someone's hard drive somewhere. Also, LinkedIn has failed to explain how the passwords were stolen in the first place. Granted, we're still in the early days, and law enforcement is investigating which may take time.
The wording of "verified" strikes me as odd. LinkedIn says it has not received any "verified reports" of third-party access to accounts. Does this mean there have been unverified reports? Anyway, who's "verifying" such reports? Is LinkedIn searching Twitter for complaints from known users, or is it actively monitoring who is logging in in a bid to detect suspicious login activity?
Should users complain of unauthorised access to the company, this would indicate a verified report, one would at least hope. Then again, if email addresses and passwords were kept separately or if only passwords were stolen, it would significantly reduce the chance of third-party account access.
If only a list of passwords were taken with no corresponding email addresses, it's just a list of passwords. It's like writing every single four-digit number combination from 0000 and 9999 on a website, and claiming they have your credit card PIN number.
The last bit raised an eyebrow:
"Finally, our current production database for account passwords is salted as well as hashed, which provides an additional layer of security."
While this is good news, "when" this happened remains unclear. On Wednesday, in LinkedIn's first post on the subject, Vicente Silveira explained this happened "recently." However it does not indicate whether the change was applied last month, this week, or yesterday.
LinkedIn was not available for comment at the time of writing.
Image credit: CNET.
Related: