Vicente Silveira, LinkedIn
We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts.
It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.
We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously.
Carl Leonard, senior security research manager EMEA, Websense
The compromise of a LinkedIn account has three important ramifications. First, the key concern is the bad actors taking advantage of trust. If you are ‘linked’ to a trusted colleague you are more likely to click on a malicious link sent from them, which may open the door to targeted attacks and confidential data theft.
Second, because many LinkedIn accounts are tied to other social media services, such as Facebook or Twitter, posts with malicious links can also be propagated to a larger audience.
And lastly, many of us are creatures of habit and have the same password for multiple accounts. The consequences of a breached password could be extrapolated across email, social media, banking accounts, and mobile phone data.
Orlando Scott-Cowley, Mimecast
While a data leak of this kind would be very worrying for individuals, a security issue with LinkedIn could also be very potentially damaging for businesses. With many users seeing the site as an extension of their business communications, rather than as a personal tool, employers need to be aware about the possible threat to corporate data that a LinkedIn breach could represent.
Now is a great time to educate your users on the benefits of password complexity and good password policies.
David Emm, senior security researcher at Kaspersky Lab
While LinkedIn says that they are notifying anyone with a compromised password that they need to change their password, we would recommend that anyone with a LinkedIn account takes the precaution of changing their password immediately.
Unfortunately, many people use the same password for multiple online accounts. This practice brings with it the risk that a compromise of one account puts all accounts at risk. We would urge everyone to use a unique, complex password for all online accounts, i.e. one that is at least eight characters and mixes letters, numbers and symbols.
John Yeo, Director at Trustwave SpiderLabs EMEA
It is important for all users of the social network to immediately change their password, not just on LinkedIn, but any other social network where the same password has been used. Perhaps more importantly however, users should also change any passwords to their corporate networks where they have used the same password.
Recent research conducted by Trustwave SpiderLabs found that in over 2.5 million passwords (in use within the workplace) that were analysed, variations on the word "password" made up more than 5% of passwords, and the most common password used by global businesses is "Password1" because it satisfies the default Microsoft Active Directory complexity setting. In approximately 15% of physical security tests, written passwords were found on and around workstations.
