One of the way social networks grow their ace in the hole is by playing on human nature. When someone you dont know sends you a message asking to be your friend, do you really want to turn him down? If a woman you know on an online forum thinks you should connect to her on Google+, wouldnt a no be an insult? People want to get along, so they click and their networks grow and the social networking companies prosper. At least, they do until someone delivers a wake-up call, as happened just the other day with the business network LinkedIn.
LinkedIn is all about building a network of trusted connections, each given authority by the approval of someone else. But about two weeks ago Russian hackers released a list of 6.5 million passwords that had been lifted off LinkedIn as well as the dating site eHarmony. It turns out that LinkedIn was using outmoded cryptographic methods that failed to secure this sensitive data and, while user names were apparently not compromised, the password leak means anyone with a LinkedIn account should change their password just to be on the safe side.
LinkedIn has since put a new form of security in place that includes techniques called hashing and salting, which sound like something from a Food Network show but are actually ways to add additional information to a password to make it far more difficult to decode. This is good news for those anticipating a future relationship with LinkedIn, but the companys security gaffe leaves some existing users in an uncomfortable position. For the LinkedIn password is just the tip of the iceberg when it comes to the way many people manage their online identities.
Beware of links
Problem one surfaced almost immediately in the form of phishing attacks that tried to exploit the stolen passwords. Phishing involves phony emails from hackers trying to pry information out of you by posing as someone else, usually a bank or a trusted business. In this case, a series of phishing messages went out purportedly from LinkedIn itself, advising users that their password was one of those compromised and asking them to enter their personal information so the situation could be fixed. Needless to say, none of these emails were actually from LinkedIn any password changes from there.
A phishing attack can contain links that, when clicked on, install malware on your computer, which is why you never want to click on links in email to change or verify your accounts at any site. The people behind these attacks, moreover, are doubtless not very interested in LinkedIn itself but in what their password list can lead to.
Use password manager
For if youre one of those people who cant remember passwords and therefore uses the same password on multiple sites, youre now if youre a LinkedIn user forced to change your passwords at every one of those sites. The hackers will use their ill-gotten password list not to hack LinkedIn itself but to get into online banking or any other sites where illegal access leads to money. Yes, multiple passwords are hard to remember, so use a password manager like KeePass (keepass.info) to store all your passwords under a single, secure key.
You must use a different password on each site where you keep an account, because your online identity is too important to be compromised by a company thats not minding the store. As for LinkedIn itself, the company has had complaints about user calendar information being collected by its mobile application and matched to user profiles, an opt-in feature but one that has led LinkedIn to clarify how it deals with personal information. The company has revised its policies but social networking has always played fast and loose with privacy, and hacked passwords are just one more reason you should be evaluating your security habits.
Paul A. Gilster is the author of several books on technology. Reach him at firstname.lastname@example.org.