6th June 2012 was one of the worst days that LinkedIn, the world’s largest professional network would have expected for. First the revelation that LinkedIn syncs confidential details of users who access the network via Apple devices such as iPhone and tablet. This news was then followed by another disastrous one that LinkedIn user’s accounts have been compromised – around 6.5 million hashed and encrypted passwords were leaked.
Adi Sharabani and Yair Amit initially discovered that LinkedIn’s iOS apps collect details from one’s iOS calendar and transmit to their servers. The Skycure Security blog also added that the confidential details LinkedIn is transferring to its servers, are not required for the functioning of the app. Not that users would love to hear such facts but LinkedIn was quick enough to formulate a statement on the reports that were circulating in the media.
“You may have seen a few press stories highlighting concerns about how your data is used in the opt-in calendar feature of our mobile phone apps. We deeply care about our members trust so I want to provide clarity around what we do, don’t do, and outline ways we are going to make a great feature even better.” expressed Joff Redfern, Mobile Product Head at LinkedIn in his blog post that was published to remove the recently created dust of mistrust.
While the LinkedIn team was handling this news, they had another set back for the same day. Norwegian IT website Dagens IT reported that 6.5 million encrypted passwords were posted to a Russian hacker site. The news that got widespread by then got some respite by Finnish security firm CERT –FI who stated that the user details have not been posted, even though it was believed that attackers had access to user data as well as passwords, as reported by The Next Web. Although it was a mere 10% of 150 million LinkedIn users, the damage had already been done to the world’s largest professional network.
LinkedIn, which took time to overcome issues one after the other on the same day initially tweeted that they were aware of the situation and looking into the issue.
Our team continues to investigate, but at this time, we’re still unable to confirm that any security breach has occurred. Stay tuned here.
— LinkedIn News (@LinkedInNews) June 6, 2012
On June 7th, 2012 LinkedIn made a more elaborate acceptance of the issue and listed the steps that were taken to protect the users. Vicente Silveira, Director at LinkedIn blogged on 7th expressing that the news of 6.5 million users credentials being sacrificed is not completely true. He added that the loss was not that severe but unfortunately a small subset of the hashed passwords were decoded. He further added that to the best of their knowledge, no email logins associated with passwords have been published, nor have they received any reports of unauthorized access to any members account.
It was also mentioned in the blog post that LinkedIn is taking the help of the law to find the culprits and according the news in the market LinkedIn is taking the help of FBI in this matter. In addition to this, LinkedIn has invalidated the affected members password and contacted them individually and I was one of them. Simultaneously, LinkedIn is asking it’s users to change their password and cautioned them not to use the same at multiple sites. The LinkedIn website has also added a note on top requesting users to change their passwords and advising them to be more secure.
Had LinkedIn done enough or was it too late as was expressed by a post at Gigaom. I don’t think LinkedIn was slow in addressing the issue. You can’t expect them to address the issue then and there when hit by two issues on the same day. Along with this LinkedIn has made sure that it locked the passwords of the affected accounts and got in touch with the users and has also provided additional security to its passwords.
LinkedIn won’t be the last online portal surrounded with security issues but the way it handled the entire issue was quick and commendable. However, I am a bit surprised why Jeff Weiner didn’t address this issue and it’s resolution along with the number of passwords that have been compromised.
Do you think that LinkedIn has done enough to save its reputation or was it late?