Lessons you can learn from the LinkedIn LeakOut

Last month, millions of LinkedIn members discovered their passwords had been published by hackers. But what can your enterprise learn about security, and how to deal with a breach situation, from this unfortunate incident? Davey Winder investigates...

Positives and negatives

The passwords that were published, whether cracked or not, have been invalidated and members advised by email of how to get a new one. However, I am told that some members did not get any notification emails for several days after the news broke, which isn't good enough. Speed is of the essence and, to mix my metaphors, it's always best to err on the side of caution when dealing with a potential compromise if you want to truly mitigate lasting brand damage. So do ensure that you force a password change on all users as a matter of course, and a matter of best practice, and you do this in a timely but managed way.

One option often executed is to advise all users of the fact that all existing passwords have been revoked, and that a further email will be sent when your account can be reactivated. Apologise for the inconvenience, and explain that it's being done in the interests of security. By staging the reactivation, larger organisations can avoid a server roadblock as users scramble to apply new passwords.

Who's in charge?

I'm not suggesting that LinkedIn has not taken this compromise seriously, quite the opposite is obviously the case: external forensics experts, LinkedIn engineers and the FBI are all working together to get to the bottom of this incident. However, I am suggesting it made fundamental mistakes both before and after the compromise was uncovered. From not salting the password hashes to taking too long to notify all those members whose passwords were potentially compromised.

Other really quite remarkable security faux pas include, in my never humble opinion, the lack of a Chief Information Officer or Chief Information Security Office. Surely a business of the size and value, let alone nature, of LinkedIn demands such a position within the executive management to ensure precisely this kind of incident is less likely to happen and the response more likely to be effective? Leaving the functions of such a position to be dealt with by, in the case of LinkedIn as I understand it, the Senior Vice President for Operations, clearly wasn't good enough.

And, finally...

If you have a privacy policy which states that all personal information submitted will be "secured in accordance with industry standards and technology" as is the case with LinkedIn, then you sure as heck better make sure that's what happens. If you don't, there can be little sympathy when the law suits start flying following a breach, even if you do also state that "There is no guarantee that information may not be accessed, copied, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards."

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Splunk debuts a new suite of cloud security solutions
Security

Splunk debuts a new suite of cloud security solutions

22 Jun 2021
Nvidia Jetson chips make IoT devices vulnerable to attack
vulnerability

Nvidia Jetson chips make IoT devices vulnerable to attack

22 Jun 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021
EU plans to launch bloc-wide cyber task force
cyber attacks

EU plans to launch bloc-wide cyber task force

22 Jun 2021