It’s time to change your LinkedIn passwords.
The company confirmed Wednesday that it had been hit with a breach, and sent e-mails to its affected users. Security experts estimate that more than six million passwords from LinkedIn’s 160 million users were affected in the breach, based on the files that have been posted on hacking sites asking for help cracking the encryption on the passwords.
The dating site eHarmony was also hit with a breach, the company said on its Web site — around 1.5 million passwords were taken, according to a report from Ars Technica.
Few details have been offered about the attack itself, with the companies saying they are continuing to investigate the situation.
It’s a good reminder for everyone to think about password security, particularly if you take a risk by using the same password for several accounts. You make it very easy for hackers, for example, if you log in to LinkedIn with a Google or Yahoo account and also share passwords between those sites.
The head of Google’s webspam team, Matt Cutts, warned his Twitter followers that using the same password for multiple accounts could lead to problems Wednesday.
“Use the same password on LinkedIn & Gmail?” he wrote. “I’d change both immediately.”
Sites like LinkedIn and eHarmony are prime targets for criminals. Bad hackers look for ways they can access a trove of personal data for relatively little work, said security expert Hemanshu Nigam, of the security consulting firm SPP Blue.
LinkedIn, particularly, can be attractive to hackers because the professional information they can steal from the site is easy to use in fake e-mail “phishing” scams.
“I think people oftentimes don’t realize the extreme value of professional information,” Nigam said. Because the e-mails come from a business associate or simply from a trusted domain name, Nigam said, “The trust level in these settings is much higher than on the open Internet.”
It’s been a rough week for LinkedIn, as the company addressed one privacy issue only to move into another. Before the attack, LinkedIn had addressed a separate privacy issue: researchers found the company was taking more data from smartphone calendar apps than was indicated in its terms of service. The company had been sending all the information in some calendar events to its servers in order to sync it with the LinkedIn app on users phones.
The data-slurping was discovered by security researchers Adi Sharabani and Yair Amit. Sharabani said it is an example of a good feature that wasn’t thought through quite enough.
“It’s a great feature,” Sharabani said. “The major trouble is that they did it without telling the user.”
He was particularly concerned that LinkedIn’s servers were getting data taken from calendar meeting notes, which could include things like call-in numbers and passcodes. LinkedIn said Wednesday that it would no longer send the note data to its servers.
The researchers were pleased that the company responded to their research so quickly, but would still like to see the company should make some changes to its policies to further protect personal information from those who aren’t LinkedIn members, such as e-mail addresses, may still be included in the fields the company sends to its servers.
He added that the breach highlights why companies need to be clear about what data they collect and should give consumers more control over their data.
“I don’t suspect [LinkedIn] of doing this deliberately and maliciously however, it is not just LinkedIn that I’m concerned about. Now you also have to trust the people who broke into LinkedIn’s servers — and I don’t,” he said.
Nigam said that LinkedIn is a good example of a company that grew faster than it expected to, and therefore may not have thought through security at every step. The fact that the passwords taken were hashed — a cryptograhic process that obscures the passwords — show that LinkedIn has put some thought toward privacy.
“If you think about it when companies grow quietly and almost under the radar like LinkedIn has done in the past several years, sometimes a security issue is what’s needed for a company to take extremely seriously safety, security and privacy,” Nigam said.
He said LinkedIn should use the wake-up call to look carefully at how its data is protected, what data it collects and how that all matches up with its terms of service.
He also said the company has to start thinking about security and privacy as a part of its design process to head-off attacks like this in the future, particularly as policy makers push for data breach legislation. If they can make their data too much trouble to deal with, he said, criminals will head elsewhere.
“They can still make a great product that government officials like — and that hackers are bored by,” Nigam said.