Tuesday, May 31, 2016

LinkedIn Warns Members of Data Breach Fallout Four Years After the Fact


Um, what?

Seriously. This is no joke. LinkedIn sent out a note from their legal department and it is as real as the words on this page. You can even read it on the LinkedIn site.


On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online. This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since that breach.

Member email addresses, hashed passwords, and LinkedIn member IDs (an internal identifier LinkedIn assigns to each member profile) from 2012.

We invalidated passwords of all LinkedIn accounts created prior to the 2012 breach that had not reset their passwords since that breach. In addition, we are using automated tools to attempt to identify and block any suspicious activity that might occur on LinkedIn accounts. We are also actively engaging with law enforcement authorities.

LinkedIn has taken significant steps to strengthen account security since 2012. For example, we now use salted hashes to store passwords and enable additional account security by offering our members the option to use two-step verification.

We have several dedicated teams working diligently to ensure that the information members entrust to LinkedIn remains secure. While we do all we can, we always suggest that our members visit our Safety Center to learn about enabling two-step verification, and implementing strong passwords in order to keep their accounts as safe as possible. We recommend that you regularly change your LinkedIn password and if you use the same or similar passwords on other online services, we recommend you set new passwords on those accounts as well.


This is Hacker 101. Hack website, steal information, sell on the dark web. This would have been a no-brainer in 2012. It's almost laughable that it took LinkedIn this long to figure it out.

The bottom line is, you really need to change your passwords often on the sites you use the most, a minimum of every six months. I know I've changed mine several times over since this breach happened, and most definitely when we were alerted to the Heartbleed bug. You need to take care of your own security.  

Seriously, if I were LinkedIn's brain trust, I'd be firing the ass of its security and legal teams. In 2016, if you have a business where you access a computer or mobile device, you are negligent and should lose your business license if you are putting everyone in your network at risk by keeping a security breach secret and not upgrading your IT.