Rapid response to LinkedIn breach key, security experts say

Social networking site acknowledged breach on Wednesday, but the company has more damage control to do -- and fast

By

June 06, 2012CSO — The professional social networking site LinkedIn officially acknowledged late Wednesday afternoon that hackers had breached its system and obtained user names and hashed passwords.

Its task now, say security experts, is to protect its reputation with the kind of rapid mitigation and transparent, professional response that will be credible to its 160 million members.

LinkedIn Director Vicente Silveira, who acknowledged the breach in a blog post, did not confirm how many of about 6.5 million passwords posted on a Russian hacker forum belonged to members.

But, he acknowledged that "some of the passwords that were compromised correspond to LinkedIn accounts," adding that members with compromised passwords, "will notice that their LinkedIn account password is no longer valid."

"These members will also receive an email from LinkedIn with instructions on how to reset their passwords," he said. "There will not be any links in these emails. For security reasons, you should never change your password on any website by following a link in an email."

Torsten George, vice president of worldwide marketing and products for Agiliance, said the response so far amounts to a decent start -- much better than the breach of Global Payments was handled. The company was evasive with the press, claimed in April that it had discovered the breach in March and that it affected fewer than 1.5 million card accounts, but later reports put that number at 7 million or more, and Visa and MasterCard sent out later warnings that the breach dates back at least to June 2011.

"I think they will do everything they can to report to their stakeholders and their community. I think right now they are just struggling with an overwhelming amount of data," George said.

The company clearly has some public relations damage control to do. As numerous reports have noted, LinkedIn has used the Secure Hashing Algorithm-1 (SHA-1) format to protect users' passwords. But that offers less protection than a technique called salted hashing, which security experts have recommended for some time that organizations use. "Salting" the hashes involves merging the hashed password with another combination and then hashing for a second time.

Todd Thiemann, senior director, product marketing for Vormetric, said the failure to salt the password data, "is a best practice that was not done." He said he doesn't know of all the countermeasures LinkedIn may have in place, but this failure "makes me scratch my head. But, we're all fallible."

He said among the major questions the LinkedIn community will want answered are, "How did the bad guys get this information? And if they got that, what else did they get?"

RESOURCE CENTER