iTWire strongly recommends everyone log into LinkedIn and change their password. And those readers silly enough to reuse the password at sites which know the same email address should also change the password there (to something different!).
Sophos agrees with this sentiment.
With this breach clearly in mind, this afternoon iTWire approached LinkedIn for their thoughts on the breach. In response, we were told:
"We aren't participating in interviews at this time. However, we will continue to keep you in the loop regarding updates via the LinkedIn blog."
Goodness, all we wanted to know was what this meant for LinkedIn's subscribers.
For want of an answer, these are the questions we'd hoped to have answered (please excuse the 'chatty' language).
1. What led LinkedIn to detect the breach? Did you find out yourselves? Were you told? Did someone find the password dump and report to you guys?
2. Who has received the notification email? How confident are you that it has gone to all affected members? (I don't seem to be affected, I didn't receive any email and earlier today was able to log in and changed my password)
Note - at least 2 iTWire staffers found their LinkedIn account had been disabled and did NOT receve an email.
3. According to Vincente's blog (linked above) he refers to "enhanced security we just recently put in place." Does "recently" refer to before or after the breach was detected, as I would have expected the kinds of things he outlined would have been regarded as Security 101 topics... not an upgrade of existing security.
4. What is the background to confirming that "some of the passwords that were compromised correspond to LinkedIn accounts?" Is Vincente suggesting there is garbage in the list, that there is no matching LinkedIn account for a good number of the passwords? Also, if, as you are saying that only passwords are leaked, how are you linking them back to accounts? Is it a simple match-up of password hashes?
The remainder of our questions (and some analysis) are on the next page.
6. How was the data obtained? It would seem that 6 million out of 140 million is a strange amount. Neither all of the database nor an amount that could be manually harvested. Was this an insider job? A genuine across-the-web hack? Something else?
All important to those affected and to most Internet users.
To this, we repeat the response (mentioned earlier) from LinkedIn's Australian representative, "We aren't participating in interviews at this time. However, we will continue to keep you in the loop regarding updates via the LinkedIn blog."
This is simply not good enough. Not remotely good enough, especially for a publicly listed company.
Allow us to observe that organisations that are open about such problems tend to engender public support. Those that duck the issue seem to be taking the first step on a downward spiral to destruction.
And in the highly volatile social networking world (and the publicly-listed company world), confidence is everything.
BTW... for those intrepid souls who seek the stolen passwords; they're not on PasteBin (this time!). Also, if you trust it enough, there's a site (https://leakedin.org/) that will compare your password against the stolen list (of course, readers are welcome to randomly try password jackpot!).
Oh, and one other thing... will actively-trading LinkedIn shareholders treat this as a good thing, or a bad thing?