LinkedIn hack is much worse than you think
Today's LinkedIn hack, exposing more than 6 million encrypted passwords, is more serious than it might appear and reveals one of the biggest security shortcomings social networks pose: Linked or shared data. Literally linked-in accounts expose information from others -- then there is the sheer amount of personal data hackers can siphon.
LinkedIn hasn't confirmed the hack, but is investigating. Meanwhile the stolen data already is available on the Internet. Cyber-security expert Robert David Graham says he has confirmed "this hack is real". The stolen data was published as password hashes. He created a SHA-1 hash of his password and found it in the dumped data. "The password I use for LinkedIn is in that list", he explains. "I use that password nowhere else. Furthermore, it's long/complex enough that I'm confident nobody else uses the same password.
Like Facebook, LinkedIn is a social network, but one geared specifically to business users. There they share quite a bit of information as part of their professional networking efforts. That sets the password theft apart from many others.
"The difference with this hack, as opposed to many others, is that people put their real information about themselves professionally on the site, not just what party they plan on attending, ala Facebook and others", Cameron Camp, ESET security researcher says. "And every time one of your LinkedIn contacts updates their profile, you get updates from LinkedIn showing what’s happening. This has the aggregate effect of garnering a form of peer review on what you post about yourself, knowing that it is exposed potentially to those business or career contacts that have a direct impact on your life".
He emphasizes: In other words, mess with somebody’s professional profile, and you’re messing with their life, and their contacts know about it".
Trust is the cornerstone to successful cloud services, but nowhere more importantly than those catering to professionals. They are more likely to share information to foster their careers, and LinkedIn provides tools that push out changes rapidly. That's okay, as long as the network is secure.
"The bigger question is what is the aggregate value of this level of business intelligence about an individual, let alone a whole business sector", Camp says. "This is the kind of information that advertisers and bad actors alike drool over. If, for example, you knew your competitors were losing staff at a rapid pace, it might affect a merger/acquisition negotiation, potentially swinging the value of the deal significantly. Also, since LinkedIn can be used as a sort of timeline of a users real history, there are deep stacks of historic business intelligence that can be garnered".
The point: There will be extreme interest in someone exploiting accounts and the connections revealed.
In researching this post, I was taken aback at the grilling LinkedIn is receiving today, and some of it is quite funny. Apparently, I'm not alone having, but not really using, the social network.
"The guy who went to LinkedIn and stole 6.5 million passwords should be easy to find since he's the guy who went to LinkedIn", Tom Siedell tweets.
Shawn King: "When changing your LinkedIn password, remember not to use 'LinkedIn_are_a_bunch_of_skeevy_a-holes', it's already been taken".
"Imagine if the LinkedIn password thing was just a ploy by LinkedIn to get everyone to log into the site for the first time in two years?", Gary He tweets.
Matt Goldich: "A Russian hacker knows my LinkedIn password. That makes one of us".
Mikko Hypponen: "LinkedIn seems to be one of those services where I never go to -- except to change my password".