Not a great day for LinkedIn. First they are exposed as taking data without your consent, then it emerges they have been hacked and millions of passwords stolen.
Quickly, to summarise:
The LinkedIn App for mobile devices has been found to take a copy of your meeting notes and upload this data to the LinkedIn servers. On the mobile app you can sync your local calendar but as well as the basic schedule data the App is taking meeting Notes, which could be sensitive. Later, in response LinkedIn said it would “no longer send data from the meeting notes section of your calendar”.
Next it emerges that around 6.5million login names and passwords have been stolen — from a user base of around 150 million. The passwords are hashed (encrypted) but what has emerged is that the hash is not salted.
When a password it hashed it is converted into an unrecognisable hexadecimal number. So ‘password’ could become ’5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8′. A simple, but essential technique. The problem is that ‘password’ always becomes the same when hashed. If a hacker wants to find out who is using the word ‘password’ as their login details they simple hash ‘password’ then search the 6.5million entries for it. Apparently in the stolen data there are many instances of people using ‘linkedin’ as their password — stupid in itself.
As a second stage a hashed password should be salted. This means that a secret key is added to the password; when you create your account and set the password as ‘password’ it is salted then hashed:
password => our-secret-key-password => 254ee878fdd6cfe3d90b68d7aa293b00049d1062.
The hash is always the same, but if the website never shares the key then it is almost impossible to figure out the password.
Amazingly LinkedIn appear not to have salted — a schoolboy error and massive faux pas!
So what does this mean for me?
Well, first you should change your password on LinkedIn as soon as possible. Secondly, and far more importantly, any other site where you use the same login details (email & password) should also be changed. Think about it….if your login is firstname.lastname@example.org and your LinkedIn password is ‘orange’, any hacker will also try logging in to hotmail with the same password, and it might work if you have been stupid!
Go do it now! Don’t waste any more time. Think of all the personal details a hacker could gain from your email, Facebook, etc!
And finally the basic rule — don’t use the same password on all your sites; at the very least use different passwords for key sites like email and banking