Wednesday, June 13, 2012

Breach update: eHarmony and Last.fm also hit, also idiots

Following up on my report of LinkedIn's password leak, I thought I should note that eHarmony and Last.fm were also hit. And speaking of the thoughtless security practices of LinkedIn, apparently these guys were worse.

Now, I'm not as mad about them because they don't handle user information nearly as important and sensitive as LinkedIn's. But while the SHA-1 hash function LinkedIn was using was weak, the MD5 hash function eHarmony and Last.fm were using has been known to be bad practice since 1996! Apparently they've managed to ignore good advice since the first Clinton administration!

Anyway, another interesting thing about the breach is that the Last.fm database has been floating around the dark parts of the Internet since 2010, so be sure to change your password there too.

Monday, June 11, 2012

Closed my LinkedIn account


In case you haven't seen, last week it became known that LinkedIn had been hacked. 8 million passwords had been leaked to the public, and who knows how many the infiltrators kept to themselves. The passwords were obscured by a hash, but they used a hash function with vulnerabilities that have been known for years, and worse, they didn't use a salt. Normally it wouldn't be a big deal if a password database was leaked if its designers weren't clueless. Instead, with the incredibly weak hashing done by LinkedIn, over half the passwords have been cracked and are known to hackers in their original, unobscured form. So if you haven't yet, change your password at LinkedIn (also, eHarmony may have been hit). Or, if you don't really need it, you can take the approach I did and delete your account.

Here's the issue: LinkedIn has proven that they cannot be trusted with sensitive information. First we find out that its Android app has been storing users' passwords in plaintext, a truly bone-headed and reprehensible security practice. This is the security equivalent of failing kindergarten. Then last week we find out that when you enable a certain calendar-integration feature, its mobile app mines your phone's calendar data and sends it back to its servers, again all in plaintext. And now this password database appears on the internet, showing that not only have they been hacked, but their storage of our most security-sensitive information is once again failing at the most basic security practices. And, I note, I haven't received a single email or intra-site message alerting me to the event. Looks like they're not notifying their users at all? I guess they're now showing that they can't even respond in a responsible manner that shows any care for their customers' data.

So my advice: if you find LinkedIn provides you with real professional advantages, proceed with caution. But if you're not really getting enough out of it to justify putting up with these idiots, consider following me to the exit.