Monday, June 11, 2012
In case you haven't seen, last week it became known that LinkedIn had been hacked. 8 million passwords had been leaked to the public, and who knows how many the infiltrators kept to themselves. The passwords were obscured by a hash, but they used a hash function with vulnerabilities that have been known for years, and worse, they didn't use a salt. Normally it wouldn't be a big deal if a password database was leaked if its designers weren't clueless. Instead, with the incredibly weak hashing done by LinkedIn, over half the passwords have been cracked and are known to hackers in their original, unobscured form. So if you haven't yet, change your password at LinkedIn (also, eHarmony may have been hit). Or, if you don't really need it, you can take the approach I did and delete your account.
Here's the issue: LinkedIn has proven that they cannot be trusted with sensitive information. First we find out that its Android app has been storing users' passwords in plaintext, a truly bone-headed and reprehensible security practice. This is the security equivalent of failing kindergarten. Then last week we find out that when you enable a certain calendar-integration feature, its mobile app mines your phone's calendar data and sends it back to its servers, again all in plaintext. And now this password database appears on the internet, showing that not only have they been hacked, but their storage of our most security-sensitive information is once again failing at the most basic security practices. And, I note, I haven't received a single email or intra-site message alerting me to the event. Looks like they're not notifying their users at all? I guess they're now showing that they can't even respond in a responsible manner that shows any care for their customers' data.
So my advice: if you find LinkedIn provides you with real professional advantages, proceed with caution. But if you're not really getting enough out of it to justify putting up with these idiots, consider following me to the exit.
Posted at 1:29 AM