Lessons you can learn from the LinkedIn LeakOut

Last month, millions of LinkedIn members discovered their passwords had been published by hackers. But what can your enterprise learn about security, and how to deal with a breach situation, from this unfortunate incident? Davey Winder investigates...

Dealing with disaster

All businesses want to mitigate potential brand damage that a hacking incident can cause. Damage limitation should start as soon as possible by confirming that customer personal and financial data has not been exposed. I'm not convinced LinkedIn pulled this off after they suffered a breach. Disclosure has to be timely, complete (within regulatory compliance boundaries for your industry) and accurate if it is to truly mitigate damage. Most importantly, it has to be perceived as being a genuine explanation and not merely a marketing exercise if your customers and business partners are to be satisfied.

LinkedIn director Vicente Silveira has gone on the record to state:

1. The compromised passwords were not published with any corresponding email logins

2. The majority of the passwords when published were in hashed form

3. There appears not to be any LinkedIn member information that has been published anywhere as a result of the stolen password list appearing online

So what do I mean by 'perceived as genuine' and why doesn't this cut the mustard in my opinion? Well, even if it were not your intention, a statement that could easily be interpreted as simply papering over the cracks will do more damage than no statement at all. Just because a list of passwords was published without their corresponding logins does not mean those logins were not also obtained. If you KNOW that logins were not stolen then say so; if you don't yet know then make your position clear. Similarly, a few days after the incident was uncovered, don't bother making a big deal that no associated personal data has been published online because, frankly, that means nothing. By all means state categorically that none was compromised if you know that to be a fact, but stating that the worse hasn't happened yet (which is, in effect, all this actually says) is not a good strategy for putting customers minds at rest.

Rubbing salt on the wound

I have, however, saved the biggest problem for last and that's the statement regarding password hashes. Much was made within hours of the leak being uncovered concerning the fact that apparently the LinkedIn password database system only hashed and didn't also salt the member passwords. This statement was the perfect opportunity, a few days later, to put the record straight and apologise for a pretty basic lapse in security thinking.

Admittedly LinkedIn did say that it was moving member passwords from a hashed database to one that was hashed and salted, but no explanation was made as to why this wasn't there from the get go. As one web developer told me "salting passwords was in my PHP development 101 class at college" so how come a system with the resources (in terms of manpower, knowledge and finance) happened to think it not worth bothering with for a system of this size? Actually, scrap that last comment and replace it with 'for a system of ANY size'. Protecting passwords with a solitary single layer of defence, a SHA-1 hash, is akin to using an intruder alarm from the pound shop to guard your office instead of a state of the art system backed up by on-premises patrols with dogs.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type

How to find RAM speed, size and type

8 Apr 2021
Roadmap 2021: What’s coming from 3CX
Advertisement Feature

Roadmap 2021: What’s coming from 3CX

30 Mar 2021